f8dfc6adcdfef82679156039cbf58891dfbb3ae1c7b1ca5b69edd5b8b02af56a

Analysis

max time kernel
164s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pdf24-creator-11.13.1-x64.exe
Size

301.9MB
MD5

4a708880572c4a3f2d0af162af2d9465
SHA1

62b540417dc9696b3bbd20ebae9bf2764ae2dd15
SHA256

f8dfc6adcdfef82679156039cbf58891dfbb3ae1c7b1ca5b69edd5b8b02af56a
SHA512

a934ff33c40f9def54d8bc2992e31404c1cebc74eefa9bc70c361129c9e4fb2296c4901b97f7e368a257e92ecd238b50f158e02258af130e0d8f5f3fcc666b5c
SSDEEP

6291456:w9XW2jbnkPq5jAVggIFFTfh0SKRva9xLbfwVonCn4INDevOlM7JVJ:AXW2jbnJBAXKpfD9xLbfwmCtq+M7JVJ

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDF24 = "\"C:\\Program Files\\PDF24\\pdf24.exe\""	pdf24-creator-11.13.1-x64.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation	pdf24-Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation	pdf24-creator-11.13.1-x64.tmp

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	OfficeClickToRun.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pdf24.ppd	pdf24-PrinterInstall.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\pdf24.ppd	pdf24-PrinterInstall.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PS5UI.DLL	pdf24-PrinterInstall.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE	OfficeClickToRun.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PSCRIPT.NTF	pdf24-PrinterInstall.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PSCRIPT5.DLL	pdf24-PrinterInstall.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PSCRIPT.HLP	pdf24-PrinterInstall.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\PDF24\lang\is-6BC42.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\doc\src\is-CLD8G.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\bin\is-2GA0V.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\include\qpdf\is-4L9GF.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\share\doc\qpdf\manual-html\_static\css\fonts\is-Q3LA7.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\jre\bin\is-474CM.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\jre\bin\is-6A4H8.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\jre\legal\java.xml\is-4F8VC.tmp	pdf24-creator-11.13.1-x64.tmp
File opened for modification	C:\Program Files\PDF24\jre\bin\api-ms-win-crt-utility-l1-1-0.dll	pdf24-creator-11.13.1-x64.tmp
File opened for modification	C:\Program Files\PDF24\WebView2\mojo_core.dll	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\js\pdfjs\cmaps\is-QSEEC.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\lib\is-TQ75U.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\lib\is-IV1R0.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\include\qpdf\is-RBHGT.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\share\doc\qpdf\examples\is-38AG5.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\WebView2\is-38TP5.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\WebView2\Locales\is-KPPMI.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\jre\bin\is-EKSUE.tmp	pdf24-creator-11.13.1-x64.tmp
File opened for modification	C:\Program Files\PDF24\qpdf\bin\zlib-flate.exe	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\js\xrechnung\material-icons\is-AOG1L.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\examples\is-0363Q.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\examples\cjk\is-MH671.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\lib\is-G6E01.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\share\doc\qpdf\manual-single-page-html\_static\is-CDTML.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\tesseract\tessdata\tessconfigs\is-GD4NU.tmp	pdf24-creator-11.13.1-x64.tmp
File opened for modification	C:\Program Files\PDF24\gs\bin\gswin64.exe	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\img\is-M79Q1.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\js\invoice-generator\fonts\fontawesome\webfonts\is-0M0EK.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\bin\is-5E64N.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\lib\is-SFULT.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\lib\is-ASM47.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\wx\i18n\is-LK2JJ.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\lib\is-CM4GQ.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\include\qpdf\is-UPOFG.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\css\is-J0T28.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\img\icons\is-98Q2Q.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\js\pdfjs\cmaps\is-PQQG4.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\js\pdfjs\cmaps\is-GNR0T.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\js\pdfjs\cmaps\is-Q4607.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\lib\is-R2S7B.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\lib\is-QJGV5.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\share\doc\qpdf\manual-single-page-html\_static\css\fonts\is-7QV4O.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\jre\bin\is-60BRH.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\jre\legal\java.base\is-TAOE2.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\jar\is-A0KVH.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\img\icons\is-CP8D1.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\js\pdfjs\cmaps\is-92R8G.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\doc\src\is-LPQ2T.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\lib\is-16CKF.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\include\qpdf\is-THL5O.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\WebView2\Locales\is-H988S.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\lib\is-6NO3Q.tmp	pdf24-creator-11.13.1-x64.tmp
File opened for modification	C:\Program Files\PDF24\tesseract\tesseract.exe	pdf24-creator-11.13.1-x64.tmp
File opened for modification	C:\Program Files\PDF24\msvcp140_atomic_wait.dll	pdf24-creator-11.13.1-x64.tmp
File opened for modification	C:\Program Files\PDF24\WebView2\msedge.dll	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\html\is-LGLCD.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\js\pdfjs\cmaps\is-Q17SG.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\wx\i18n\is-A2EEM.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\doc\src\is-AUV3O.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\share\doc\qpdf\manual-html\_static\css\is-IQAGG.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\lib\toolbox\js\is-9RLFV.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\doc\src\is-76UEG.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\gs\doc\src\_static\is-GEDMB.tmp	pdf24-creator-11.13.1-x64.tmp
File created	C:\Program Files\PDF24\qpdf\share\doc\qpdf\manual-single-page-html\_static\css\fonts\is-SC0NJ.tmp	pdf24-creator-11.13.1-x64.tmp

Executes dropped EXE 10 IoCs

pid	Process
1704	pdf24-creator-11.13.1-x64.tmp
3716	pdf24-PrinterInstall.exe
2672	pdf24-PrinterInstall.exe
4324	pdf24-PrinterInstall.exe
4532	pdf24.exe
4880	pdf24.exe
2568	pdf24.exe
2692	pdf24-Launcher.exe
4484	pdf24-Creator.exe
3304	pdf24-Updater.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4160	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
1788	regsvr32.exe
1788	regsvr32.exe
1788	regsvr32.exe
1788	regsvr32.exe
4872	regsvr32.exe
4872	regsvr32.exe
4872	regsvr32.exe
4872	regsvr32.exe
336	regsvr32.exe
336	regsvr32.exe
336	regsvr32.exe
336	regsvr32.exe
336	regsvr32.exe
336	regsvr32.exe
336	regsvr32.exe
3716	pdf24-PrinterInstall.exe
3716	pdf24-PrinterInstall.exe
3716	pdf24-PrinterInstall.exe
3716	pdf24-PrinterInstall.exe
3716	pdf24-PrinterInstall.exe
2672	pdf24-PrinterInstall.exe
2672	pdf24-PrinterInstall.exe
2672	pdf24-PrinterInstall.exe
2672	pdf24-PrinterInstall.exe
4324	pdf24-PrinterInstall.exe
4324	pdf24-PrinterInstall.exe
4324	pdf24-PrinterInstall.exe
4324	pdf24-PrinterInstall.exe
4532	pdf24.exe
4532	pdf24.exe
4532	pdf24.exe
4532	pdf24.exe
4532	pdf24.exe
4532	pdf24.exe
4532	pdf24.exe
4880	pdf24.exe
4880	pdf24.exe
4880	pdf24.exe
4880	pdf24.exe
4880	pdf24.exe
4880	pdf24.exe
4880	pdf24.exe
2568	pdf24.exe
2568	pdf24.exe
2568	pdf24.exe
2568	pdf24.exe
2568	pdf24.exe
2568	pdf24.exe
2568	pdf24.exe
2568	pdf24.exe
2568	pdf24.exe
4880	pdf24.exe
4880	pdf24.exe
1704	pdf24-creator-11.13.1-x64.tmp
2692	pdf24-Launcher.exe
2692	pdf24-Launcher.exe
2692	pdf24-Launcher.exe
2692	pdf24-Launcher.exe
2692	pdf24-Launcher.exe
2692	pdf24-Launcher.exe
2692	pdf24-Launcher.exe
2692	pdf24-Launcher.exe
2692	pdf24-Launcher.exe
4484	pdf24-Creator.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\InprocServer32\ = "C:\\Program Files\\PDF24\\PdfPreviewHandler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{F78FD16B-3DA7-4935-82E9-B82D9C1ED0AE}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F78FD16B-3DA7-4935-82E9-B82D9C1ED0AE}\InprocServer32\ = "C:\\Program Files\\PDF24\\ShellExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F78FD16B-3DA7-4935-82E9-B82D9C1ED0AE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with WMI 3 IoCs

evasion

pid	Process
4088	WMIC.exe
4328	WMIC.exe
2732	WMIC.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000875af0f1d55bc04fbde37971e49f17540000000002000000000010660000000100002000000028166bbf2bb0922a0691e8cf2274c7c5dd65539f5085163320e4af05359a3e33000000000e8000000002000020000000a364e5b305e0a8ffada913004673b935956898e8d6024c017fc50f74a7a9f4acf003000060b7e98b1461e4f1358d458e061b257f0b2852091c49162bb274a1ec84188cde9db727c0672193938fd4fbe302859fc32912149a4568efc90e4830e604c850c65ee8eefddd5329ef5b62a31c2557212a7cd7aaa830fa929d5eac87f82b33c7427e6a82b9c8ad2ff8c01f38e96bd8c9d2a6d6f57d058d30fcfb4ca37963654c6fc6d12e2dc6b3a6422bcbcda6e12111a5861b0f6f5997aced34af3854372d9a976d55dd7de62c7607ec829c3e61774290fd0919f126ce9496712a4a55e3185ab57454ce2806080cb56142f34f60e9dcef41e0e496a47b9385f71d6413fd9259d6115b04e4805b9ab32c80635c0ae89f84c444a06687a04eea51f291cef17affd88744b3b576eab7c521624089161829a2c9c07a071945875fa94fbe403a8edb3a871835b31dc79e86346aad8e422e306b85ddaaf13d55d064b947baca7387befd6b4d685d49642bb93f1357384c5b54f911c56dbc4a9ff27c457fe5efd08bd0ec383266f616f72c2a3398b2532be948ec7740da2690fcb478232ee48646d63933ed449382bd9c1851977f63d82cca5487d65f0ed8470a4e47fdc97226e727c2d61ee1f1588350d839bde963b01c289abb4cb612e26300ef62dc70eee58175e3431a18af9b8d1efa5812b6e53fb28aff271a1704fecb3197c920932a8f915cff3b7c5e63d3210d27e13653522b216056a9dd4e646830c7e016208c336326c06ab8ffb691f579e2fa7b16af8130224850c98f6c0450944792b0032401a675e757358c4355c7706b8de6ef3d7f70fac88ad5be6aac03eec5dd778465bcb99f60ec9fb5c9e72363842c461e740f184f9f2f217906afbf83f68ea601a06fc5d99787081450f29603958a14ba4122abe5b4ba86581d216b4ee61d54a445d8df719bc9f4e8f61b17000128d6d7bb8d913e06759f32b883a7e6711d6423740d3121eb1cb4ef306c05f85bf4af8d7889e25020c12013ac1bea957add7ada142cae9cea0e671cddc983105af803b76187fc0b1425f020fa1ee1c8c2fb3ec749608e04abfa5f48174b8343b956907faf34d41413bfdccc0d3a6febe815bf4b0f37f80d900352a44896f48b46b696d3aa81fa3c2c9847e1800282e04f21ae6077e9607b3764468bad40a5045189cee691e29bbf5973d801763a6bed01feaafd8cfeccc140452974490aa7abd29951713dd2cd911d488f5a2087d9bd665295bf1e5a00adac3e8c1661895892d52ca01cec76b9c09ffa2d60506504e99eaf29bbe82069b5e5d91e877fa2e50c5d53a6baa375ec39ec802b85c0c5268f1ba0fe9d36606028aea7f808d36a80b7f6778b41f83f4ba5a3006adf95edfa33ee33255646ab87771945701c7e48695164ce36f5d22a4aca22c4d1ba85d051cc84a05ee99c2c319e8481a33b002f1a7695133ef680e630c1dde3fc40000000ff395e2a4445277dcae678388c4a4dee8d9bcb18d553a6fba2aed3aa0fc8346b8ecbe72c640c992deaa03cab260c71485fe39d177783339c693b986af58f9c8c	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAELL/Pn8mRo8wW07Ug0FYPX/gAEyujTqLCYRGnrHBHCGfF1LsSj6exgh6lj8ISCYghmXYfRw/kSxardILvb0q2sEjR+/i6B0elenx4s8esrPzEQoxhu/JIW4MpZxvA7fu4byITFHirWY3jqFeyqDv7/Rn2l1e1r9D/GXqiVNjXPjoLFPCMLnX+G/dUz1wjqAPBM4mxMI8Yc7vmyZqLFkmCZWPeK9VSPm8MgBJGxNlxWRQP9y9tIW/2xcLNOkgTwexekj09d0srDo8kqvW+0Upxm6XPwG+WbbI7ckFn0r0tCo6MMIuHFi1UeCR3lgQFAEprCxjHQE=&p="	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C00A819BDAE3 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000875af0f1d55bc04fbde37971e49f17540000000002000000000010660000000100002000000076908c7880c56c8aaf50d146afa90dcea3c8fd7e3cb7e2e66ddc937e0d2808e1000000000e8000000002000020000000bfb455062356fdc6dc420952f8217a78f1570ec9e32d989ca6e5a6713eb9c6aa80000000a69394f9d5270942a82a4cb7e4baf2fa23a079bf2cdfc0ca28697db5df1c107285376f6d57d33363f002d67578dce4f095e83b8cb6368edd2dbec153dddc775878c37b754eb3a44bc8cfedaefa999a1436838d3418905d3914dd28e2f27d3ef4fd40b3ddc8a1456e0696fb579ef58de77bcccad17450a963e72fc08e6c74793f4000000095a788670b733aa45f6e435219b1c4f017ab1396e86a70bbf8853b66ccf0e8afb0772b8b4c1f9a7c31339f86ee232a31967527b1a1eaf115c3ff70e6c0ea7000	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDF24	pdf24.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceId = "0018C00A819BDAE3"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\PDF24\UserId = "3595FF3F-101B-11EE-85C3-4246F366654C"	pdf24.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\Shell\Open	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Toolbox\Shell\Open\Command\ = "\"C:\\Program Files\\PDF24\\pdf24-Toolbox.exe\" \"%1\""	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\PDF24\ = "PDF24"	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\ = "PDF24 PDF Preview Handler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDF24.Compress\Shell\Open\Command	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PDF24.Toolbox\DefaultIcon	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Toolbox\Shell	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Toolbox\Shell\Open\Command	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\DefaultIcon\ = "C:\\Program Files\\PDF24\\Resources.dll,-101"	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PDF24.Creator\DefaultIcon	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Creator\DefaultIcon\ = "C:\\Program Files\\PDF24\\pdf24-Creator.exe,-100"	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\DisplayName = "PDF24"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{F78FD16B-3DA7-4935-82E9-B82D9C1ED0AE}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Creator\Shell\Open\Command\ = "\"C:\\Program Files\\PDF24\\pdf24-Creator.exe\" \"%1\""	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Compress\Shell\Open	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.DocTool\ = "PDF24 DocTool"	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\PDF24\MultiSelectModel = "Player"	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\Shell\PrintTo\Command	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Creator\Shell\Open	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Compress\Shell	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PDF24.Toolbox	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PDF24.Reader\Shell\PrintTo\Command	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Toolbox	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\Shell\PrintTo	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\PDF24\ = "PDF24"	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\InprocServer32\ = "C:\\Program Files\\PDF24\\PdfPreviewHandler.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Compress	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\PDF24\Icon = "C:\\Program Files\\PDF24\\pdf24-DocTool.exe"	pdf24-creator-11.13.1-x64.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\DisableLowILProcessIsolation = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F78FD16B-3DA7-4935-82E9-B82D9C1ED0AE}\InprocServer32\ = "C:\\Program Files\\PDF24\\ShellExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\PDF24\ = "PDF24"	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\Shell	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\Shell\Open\Command	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Compress\ = "PDF24 Compress"	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PDF24.Compress\DefaultIcon	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Creator	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\PDF24.DocTool	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\background\shell\PDF24\Command	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDF24.Reader\DefaultIcon	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Compress\Shell\Open\Command\ = "\"C:\\Program Files\\PDF24\\pdf24-Compress.exe\" \"%1\""	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.DocTool\DefaultIcon\ = "C:\\Program Files\\PDF24\\pdf24-DocTool.exe,-100"	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\Shell\Print\Command	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\PDF24\Command\ = "\"C:\\Program Files\\PDF24\\pdf24-DocTool.exe\" -showFileUi -multiProcess -sort \"%1\""	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\InprocServer32\ = "C:\\Program Files\\PDF24\\PdfPreviewHandler.x86.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.DocTool\Shell\Open	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Toolbox\ = "PDF24 Toolbox"	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDF24.Reader	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\Shell\Print	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\*\shell\PDF24	pdf24-creator-11.13.1-x64.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDF24.DocTool\Shell\Open\Command	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\PDF24\Icon = "C:\\Program Files\\PDF24\\pdf24-DocTool.exe"	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\PDF24\Icon = "C:\\Program Files\\PDF24\\pdf24-DocTool.exe"	pdf24-creator-11.13.1-x64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}\AppID = "{6D2B5079-2F0B-48DD-AB7F-97CEC514D30B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDF24.Reader\ = "PDF24 Reader"	pdf24-creator-11.13.1-x64.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	pdf24-creator-11.13.1-x64.tmp
1704	pdf24-creator-11.13.1-x64.tmp
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1856	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4328	WMIC.exe
Token: SeSecurityPrivilege	4328	WMIC.exe
Token: SeTakeOwnershipPrivilege	4328	WMIC.exe
Token: SeLoadDriverPrivilege	4328	WMIC.exe
Token: SeSystemProfilePrivilege	4328	WMIC.exe
Token: SeSystemtimePrivilege	4328	WMIC.exe
Token: SeProfSingleProcessPrivilege	4328	WMIC.exe
Token: SeIncBasePriorityPrivilege	4328	WMIC.exe
Token: SeCreatePagefilePrivilege	4328	WMIC.exe
Token: SeBackupPrivilege	4328	WMIC.exe
Token: SeRestorePrivilege	4328	WMIC.exe
Token: SeShutdownPrivilege	4328	WMIC.exe
Token: SeDebugPrivilege	4328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4328	WMIC.exe
Token: SeRemoteShutdownPrivilege	4328	WMIC.exe
Token: SeUndockPrivilege	4328	WMIC.exe
Token: SeManageVolumePrivilege	4328	WMIC.exe
Token: 33	4328	WMIC.exe
Token: 34	4328	WMIC.exe
Token: 35	4328	WMIC.exe
Token: 36	4328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4088	WMIC.exe
Token: SeSecurityPrivilege	4088	WMIC.exe
Token: SeTakeOwnershipPrivilege	4088	WMIC.exe
Token: SeLoadDriverPrivilege	4088	WMIC.exe
Token: SeSystemProfilePrivilege	4088	WMIC.exe
Token: SeSystemtimePrivilege	4088	WMIC.exe
Token: SeProfSingleProcessPrivilege	4088	WMIC.exe
Token: SeIncBasePriorityPrivilege	4088	WMIC.exe
Token: SeCreatePagefilePrivilege	4088	WMIC.exe
Token: SeBackupPrivilege	4088	WMIC.exe
Token: SeRestorePrivilege	4088	WMIC.exe
Token: SeShutdownPrivilege	4088	WMIC.exe
Token: SeDebugPrivilege	4088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4088	WMIC.exe
Token: SeRemoteShutdownPrivilege	4088	WMIC.exe
Token: SeUndockPrivilege	4088	WMIC.exe
Token: SeManageVolumePrivilege	4088	WMIC.exe
Token: 33	4088	WMIC.exe
Token: 34	4088	WMIC.exe
Token: 35	4088	WMIC.exe
Token: 36	4088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeSecurityPrivilege	2732	WMIC.exe
Token: SeTakeOwnershipPrivilege	2732	WMIC.exe
Token: SeLoadDriverPrivilege	2732	WMIC.exe
Token: SeSystemProfilePrivilege	2732	WMIC.exe
Token: SeSystemtimePrivilege	2732	WMIC.exe
Token: SeProfSingleProcessPrivilege	2732	WMIC.exe
Token: SeIncBasePriorityPrivilege	2732	WMIC.exe
Token: SeCreatePagefilePrivilege	2732	WMIC.exe
Token: SeBackupPrivilege	2732	WMIC.exe
Token: SeRestorePrivilege	2732	WMIC.exe
Token: SeShutdownPrivilege	2732	WMIC.exe
Token: SeDebugPrivilege	2732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2732	WMIC.exe
Token: SeRemoteShutdownPrivilege	2732	WMIC.exe
Token: SeUndockPrivilege	2732	WMIC.exe
Token: SeManageVolumePrivilege	2732	WMIC.exe
Token: 33	2732	WMIC.exe
Token: 34	2732	WMIC.exe
Token: 35	2732	WMIC.exe
Token: 36	2732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4088	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1704	pdf24-creator-11.13.1-x64.tmp
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1704	pdf24-creator-11.13.1-x64.tmp
1704	pdf24-creator-11.13.1-x64.tmp
1704	pdf24-creator-11.13.1-x64.tmp
1704	pdf24-creator-11.13.1-x64.tmp
1704	pdf24-creator-11.13.1-x64.tmp

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe
1856	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4328	OfficeClickToRun.exe
2692	pdf24-Launcher.exe
2692	pdf24-Launcher.exe
4484	pdf24-Creator.exe
4484	pdf24-Creator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 1704	3584	pdf24-creator-11.13.1-x64.exe	86
PID 3584 wrote to memory of 1704	3584	pdf24-creator-11.13.1-x64.exe	86
PID 3584 wrote to memory of 1704	3584	pdf24-creator-11.13.1-x64.exe	86
PID 1704 wrote to memory of 4160	1704	pdf24-creator-11.13.1-x64.tmp	88
PID 1704 wrote to memory of 4160	1704	pdf24-creator-11.13.1-x64.tmp	88
PID 1704 wrote to memory of 4160	1704	pdf24-creator-11.13.1-x64.tmp	88
PID 1704 wrote to memory of 4088	1704	pdf24-creator-11.13.1-x64.tmp	94
PID 1704 wrote to memory of 4088	1704	pdf24-creator-11.13.1-x64.tmp	94
PID 1704 wrote to memory of 4088	1704	pdf24-creator-11.13.1-x64.tmp	94
PID 1704 wrote to memory of 4328	1704	pdf24-creator-11.13.1-x64.tmp	96
PID 1704 wrote to memory of 4328	1704	pdf24-creator-11.13.1-x64.tmp	96
PID 1704 wrote to memory of 4328	1704	pdf24-creator-11.13.1-x64.tmp	96
PID 1704 wrote to memory of 2732	1704	pdf24-creator-11.13.1-x64.tmp	98
PID 1704 wrote to memory of 2732	1704	pdf24-creator-11.13.1-x64.tmp	98
PID 1704 wrote to memory of 2732	1704	pdf24-creator-11.13.1-x64.tmp	98
PID 1704 wrote to memory of 1788	1704	pdf24-creator-11.13.1-x64.tmp	106
PID 1704 wrote to memory of 1788	1704	pdf24-creator-11.13.1-x64.tmp	106
PID 1704 wrote to memory of 4872	1704	pdf24-creator-11.13.1-x64.tmp	107
PID 1704 wrote to memory of 4872	1704	pdf24-creator-11.13.1-x64.tmp	107
PID 1704 wrote to memory of 4872	1704	pdf24-creator-11.13.1-x64.tmp	107
PID 1704 wrote to memory of 336	1704	pdf24-creator-11.13.1-x64.tmp	108
PID 1704 wrote to memory of 336	1704	pdf24-creator-11.13.1-x64.tmp	108
PID 1704 wrote to memory of 3716	1704	pdf24-creator-11.13.1-x64.tmp	109
PID 1704 wrote to memory of 3716	1704	pdf24-creator-11.13.1-x64.tmp	109
PID 1704 wrote to memory of 2672	1704	pdf24-creator-11.13.1-x64.tmp	111
PID 1704 wrote to memory of 2672	1704	pdf24-creator-11.13.1-x64.tmp	111
PID 1704 wrote to memory of 4324	1704	pdf24-creator-11.13.1-x64.tmp	114
PID 1704 wrote to memory of 4324	1704	pdf24-creator-11.13.1-x64.tmp	114
PID 1704 wrote to memory of 4532	1704	pdf24-creator-11.13.1-x64.tmp	116
PID 1704 wrote to memory of 4532	1704	pdf24-creator-11.13.1-x64.tmp	116
PID 1704 wrote to memory of 2568	1704	pdf24-creator-11.13.1-x64.tmp	118
PID 1704 wrote to memory of 2568	1704	pdf24-creator-11.13.1-x64.tmp	118
PID 1704 wrote to memory of 1400	1704	pdf24-creator-11.13.1-x64.tmp	119
PID 1704 wrote to memory of 1400	1704	pdf24-creator-11.13.1-x64.tmp	119
PID 1400 wrote to memory of 2180	1400	msedge.exe	120
PID 1400 wrote to memory of 2180	1400	msedge.exe	120
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122
PID 1400 wrote to memory of 4536	1400	msedge.exe	122

C:\Users\Admin\AppData\Local\Temp\pdf24-creator-11.13.1-x64.exe
"C:\Users\Admin\AppData\Local\Temp\pdf24-creator-11.13.1-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\is-TTCBD.tmp\pdf24-creator-11.13.1-x64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TTCBD.tmp\pdf24-creator-11.13.1-x64.tmp" /SL5="$9005C,315538092,890880,C:\Users\Admin\AppData\Local\Temp\pdf24-creator-11.13.1-x64.exe"
  2⤵
  - Adds Run key to start application
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop pdf24
    3⤵
    - Launches sc.exe
    PID:4160
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" PROCESS WHERE "Name='prevhost.exe' AND CommandLine LIKE '%{09E6D117-5330-4A29-8C20-0C3AF9F90A1C}%'" CALL TERMINATE
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" PROCESS WHERE "Name='pdf24-Reader.exe' AND CommandLine LIKE '%/shellPreview%'" CALL TERMINATE
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" PROCESS WHERE "Name='pdf24.exe'" CALL TERMINATE
    3⤵
    - Kills process with WMI
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\PDF24\PdfPreviewHandler.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:1788
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\PDF24\PdfPreviewHandler.x86.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4872
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\PDF24\ShellExt.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:336
- - C:\Program Files\PDF24\pdf24-PrinterInstall.exe
    "C:\Program Files\PDF24\pdf24-PrinterInstall.exe" -log "C:\Program Files\PDF24\prnDrvInst.log" -upgrade installPrinterDriver
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3716
- - C:\Program Files\PDF24\pdf24-PrinterInstall.exe
    "C:\Program Files\PDF24\pdf24-PrinterInstall.exe" -printerName "PDF24" -portName "\\.\pipe\PDFPrint" -log "C:\Program Files\PDF24\pdfPrnInst.log" installPrinter installCompatiblePrinter
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2672
- - C:\Program Files\PDF24\pdf24-PrinterInstall.exe
    "C:\Program Files\PDF24\pdf24-PrinterInstall.exe" -printerName "PDF24 Fax" -portName "\\.\pipe\FaxPrint" -log "C:\Program Files\PDF24\faxPrnInst.log" -config fax installPrinter installCompatiblePrinter
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4324
- - C:\Program Files\PDF24\pdf24.exe
    "C:\Program Files\PDF24\pdf24.exe" -log "C:\Program Files\PDF24\srvInst.log" -install -start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4532
- - C:\Program Files\PDF24\pdf24.exe
    "C:\Program Files\PDF24\pdf24.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pdf24.org/products/pdf-creator/afterInstall.php?version=11.13.1&iid=0AAA74F8-03C0-4ABF-9652-55016ACAA954&language=en
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffe18346f8,0x7fffe1834708,0x7fffe1834718
      4⤵
      PID:2180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:4536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
      4⤵
      PID:2740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
      4⤵
      PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
      4⤵
      PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1
      4⤵
      PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
      4⤵
      PID:4464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
      4⤵
      PID:2700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
      4⤵
      PID:348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
      4⤵
      PID:860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
      4⤵
      PID:1548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      PID:5044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7557f5460,0x7ff7557f5470,0x7ff7557f5480
        5⤵
        
        PID:4056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
      4⤵
      PID:3584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
      4⤵
      PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9418120774784631452,17325176907114881035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
      4⤵
      PID:928

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1856

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3056

C:\Program Files\PDF24\pdf24.exe
"C:\Program Files\PDF24\pdf24.exe" -service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1788

C:\Program Files\PDF24\pdf24-Launcher.exe
"C:\Program Files\PDF24\pdf24-Launcher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2692
- C:\Program Files\PDF24\pdf24-Creator.exe
  "C:\Program Files\PDF24\pdf24-Creator.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4484
- C:\Program Files\PDF24\pdf24-Updater.exe
  "C:\Program Files\PDF24\pdf24-Updater.exe" -hidden -trigger "appClose"
  2⤵
  - Executes dropped EXE
  PID:3304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\PDF24\About.dll

Filesize
462KB

MD5
e0ef1aa3834876e8ffd14ab63085aebb

SHA1
aa371de9a3247f884a09a7ca4f470573c439ca17

SHA256
60de12a8e5e60a272ebfb8745a3b3bffae84dfc4649d84c1a364179ce7d1069d

SHA512
5a0e5d4806c96844a34f9438db37b511c3d7ba0ab74e2f5ae282b006ab35dc5c1b4c06991bb280732ca93d53e70c476014b99e05ad94cb0e0e93cdfb21c7310d

Download Submit
C:\Program Files\PDF24\About.dll

Filesize
462KB

MD5
e0ef1aa3834876e8ffd14ab63085aebb

SHA1
aa371de9a3247f884a09a7ca4f470573c439ca17

SHA256
60de12a8e5e60a272ebfb8745a3b3bffae84dfc4649d84c1a364179ce7d1069d

SHA512
5a0e5d4806c96844a34f9438db37b511c3d7ba0ab74e2f5ae282b006ab35dc5c1b4c06991bb280732ca93d53e70c476014b99e05ad94cb0e0e93cdfb21c7310d

Download Submit
C:\Program Files\PDF24\About.dll

Filesize
462KB

MD5
e0ef1aa3834876e8ffd14ab63085aebb

SHA1
aa371de9a3247f884a09a7ca4f470573c439ca17

SHA256
60de12a8e5e60a272ebfb8745a3b3bffae84dfc4649d84c1a364179ce7d1069d

SHA512
5a0e5d4806c96844a34f9438db37b511c3d7ba0ab74e2f5ae282b006ab35dc5c1b4c06991bb280732ca93d53e70c476014b99e05ad94cb0e0e93cdfb21c7310d

Download Submit
C:\Program Files\PDF24\About.dll

Filesize
462KB

MD5
e0ef1aa3834876e8ffd14ab63085aebb

SHA1
aa371de9a3247f884a09a7ca4f470573c439ca17

SHA256
60de12a8e5e60a272ebfb8745a3b3bffae84dfc4649d84c1a364179ce7d1069d

SHA512
5a0e5d4806c96844a34f9438db37b511c3d7ba0ab74e2f5ae282b006ab35dc5c1b4c06991bb280732ca93d53e70c476014b99e05ad94cb0e0e93cdfb21c7310d

Download Submit
C:\Program Files\PDF24\Language.dll

Filesize
61KB

MD5
b0049bdd34cfbc049ac166096fe602ce

SHA1
ff7369039e9ccad7c95a826ad6a973ec45c9cd11

SHA256
2266a75b36c8e063b5f49c7436aaa933813fa50c61ae120d56c832edb53db370

SHA512
94827f805eb79b55c9648fe8cb5d7fe4c3a5bce1a301c3dd28eabce7ec39c5a0a62118b466a5eecdd2ac86532b533cd7fe8d9069e8265b67cc9d74711d37c940

Download Submit
C:\Program Files\PDF24\Language.dll

Filesize
61KB

MD5
b0049bdd34cfbc049ac166096fe602ce

SHA1
ff7369039e9ccad7c95a826ad6a973ec45c9cd11

SHA256
2266a75b36c8e063b5f49c7436aaa933813fa50c61ae120d56c832edb53db370

SHA512
94827f805eb79b55c9648fe8cb5d7fe4c3a5bce1a301c3dd28eabce7ec39c5a0a62118b466a5eecdd2ac86532b533cd7fe8d9069e8265b67cc9d74711d37c940

Download Submit
C:\Program Files\PDF24\Language.dll

Filesize
61KB

MD5
b0049bdd34cfbc049ac166096fe602ce

SHA1
ff7369039e9ccad7c95a826ad6a973ec45c9cd11

SHA256
2266a75b36c8e063b5f49c7436aaa933813fa50c61ae120d56c832edb53db370

SHA512
94827f805eb79b55c9648fe8cb5d7fe4c3a5bce1a301c3dd28eabce7ec39c5a0a62118b466a5eecdd2ac86532b533cd7fe8d9069e8265b67cc9d74711d37c940

Download Submit
C:\Program Files\PDF24\Language.dll

Filesize
61KB

MD5
b0049bdd34cfbc049ac166096fe602ce

SHA1
ff7369039e9ccad7c95a826ad6a973ec45c9cd11

SHA256
2266a75b36c8e063b5f49c7436aaa933813fa50c61ae120d56c832edb53db370

SHA512
94827f805eb79b55c9648fe8cb5d7fe4c3a5bce1a301c3dd28eabce7ec39c5a0a62118b466a5eecdd2ac86532b533cd7fe8d9069e8265b67cc9d74711d37c940

Download Submit
C:\Program Files\PDF24\Language.dll

Filesize
61KB

MD5
b0049bdd34cfbc049ac166096fe602ce

SHA1
ff7369039e9ccad7c95a826ad6a973ec45c9cd11

SHA256
2266a75b36c8e063b5f49c7436aaa933813fa50c61ae120d56c832edb53db370

SHA512
94827f805eb79b55c9648fe8cb5d7fe4c3a5bce1a301c3dd28eabce7ec39c5a0a62118b466a5eecdd2ac86532b533cd7fe8d9069e8265b67cc9d74711d37c940

Download Submit
C:\Program Files\PDF24\MSVCP140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\PDF24\NotifyIcon.dll

Filesize
493KB

MD5
e781b79bdbb2e8f66b6196d265ce8199

SHA1
18b65940282c003bc0b2c72382c1f9f8c4612b35

SHA256
b756d33bdb6ba1a1858b4aafc9fc70b5c2c07b1f5538d61ecfc6dcf066fdd1d9

SHA512
2b746f9524866224e09e8bf1cb4e68cdcacb57e75c6442c6e8afac4e479bd705098c40398067477458a888a979fccb5b672c5c2e662bed1512a795ec1a6e064e

Download Submit
C:\Program Files\PDF24\NotifyIcon.dll

Filesize
493KB

MD5
e781b79bdbb2e8f66b6196d265ce8199

SHA1
18b65940282c003bc0b2c72382c1f9f8c4612b35

SHA256
b756d33bdb6ba1a1858b4aafc9fc70b5c2c07b1f5538d61ecfc6dcf066fdd1d9

SHA512
2b746f9524866224e09e8bf1cb4e68cdcacb57e75c6442c6e8afac4e479bd705098c40398067477458a888a979fccb5b672c5c2e662bed1512a795ec1a6e064e

Download Submit
C:\Program Files\PDF24\NotifyIcon.dll

Filesize
493KB

MD5
e781b79bdbb2e8f66b6196d265ce8199

SHA1
18b65940282c003bc0b2c72382c1f9f8c4612b35

SHA256
b756d33bdb6ba1a1858b4aafc9fc70b5c2c07b1f5538d61ecfc6dcf066fdd1d9

SHA512
2b746f9524866224e09e8bf1cb4e68cdcacb57e75c6442c6e8afac4e479bd705098c40398067477458a888a979fccb5b672c5c2e662bed1512a795ec1a6e064e

Download Submit
C:\Program Files\PDF24\PdfPreviewHandler.dll

Filesize
51KB

MD5
06dcd62a08444c377488adc205e6d8a5

SHA1
e131f306e7e7b4fab305bcc393b47d8ff658ed5b

SHA256
0e92c005ce0a68aa49991f8de3a0e53e68256f1f58524fc49248f0328e021d29

SHA512
002cc110a6ed1ab3ed6975a8e000fff4741c53e05ba95181c281df1760aa9b6fcdcb3cbf0b90358dda4cf830397393d1691ab0ff0b026896ae0f11e1539f1c2c

Download Submit
C:\Program Files\PDF24\PdfPreviewHandler.dll

Filesize
51KB

MD5
06dcd62a08444c377488adc205e6d8a5

SHA1
e131f306e7e7b4fab305bcc393b47d8ff658ed5b

SHA256
0e92c005ce0a68aa49991f8de3a0e53e68256f1f58524fc49248f0328e021d29

SHA512
002cc110a6ed1ab3ed6975a8e000fff4741c53e05ba95181c281df1760aa9b6fcdcb3cbf0b90358dda4cf830397393d1691ab0ff0b026896ae0f11e1539f1c2c

Download Submit
C:\Program Files\PDF24\PdfPreviewHandler.dll

Filesize
51KB

MD5
06dcd62a08444c377488adc205e6d8a5

SHA1
e131f306e7e7b4fab305bcc393b47d8ff658ed5b

SHA256
0e92c005ce0a68aa49991f8de3a0e53e68256f1f58524fc49248f0328e021d29

SHA512
002cc110a6ed1ab3ed6975a8e000fff4741c53e05ba95181c281df1760aa9b6fcdcb3cbf0b90358dda4cf830397393d1691ab0ff0b026896ae0f11e1539f1c2c

Download Submit
C:\Program Files\PDF24\PdfPreviewHandler.x86.dll

Filesize
43KB

MD5
e479987c72f70df3a5dddef868c3b028

SHA1
e5f0f4143ba9b50eb3df1eae3bb0b2188fc6f513

SHA256
aefdbc975c28ca0244fb912e43db69dda14b1fac46604bb5c1c41caeb3d01604

SHA512
7f01e082d8bc7fa9bba2db78333758b3a3d3bbe099cf149a124070770bca2ec2e39409ef8176e18464ed7048c3cc87afb2892b6905248e34412667bac1c46a6b

Download Submit
C:\Program Files\PDF24\PdfPreviewHandler.x86.dll

Filesize
43KB

MD5
e479987c72f70df3a5dddef868c3b028

SHA1
e5f0f4143ba9b50eb3df1eae3bb0b2188fc6f513

SHA256
aefdbc975c28ca0244fb912e43db69dda14b1fac46604bb5c1c41caeb3d01604

SHA512
7f01e082d8bc7fa9bba2db78333758b3a3d3bbe099cf149a124070770bca2ec2e39409ef8176e18464ed7048c3cc87afb2892b6905248e34412667bac1c46a6b

Download Submit
C:\Program Files\PDF24\Settings.dll

Filesize
91KB

MD5
f7a855ddd86c34c55286ed07e7732650

SHA1
5a8b07d0135c11b5b2185199dfc917352cc0f5bc

SHA256
68119afbaf4217aacaa8b2479497707847bf2d06637be82a07c82f433240168c

SHA512
35a2f4919ff326ba5e715257570a2c43e8a30e3741fec51495953a6ca9e7fd81f0064445314e85853bdb76f775420e48300a65235555ce644cfeccc27b4c778b

Download Submit
C:\Program Files\PDF24\Settings.dll

Filesize
91KB

MD5
f7a855ddd86c34c55286ed07e7732650

SHA1
5a8b07d0135c11b5b2185199dfc917352cc0f5bc

SHA256
68119afbaf4217aacaa8b2479497707847bf2d06637be82a07c82f433240168c

SHA512
35a2f4919ff326ba5e715257570a2c43e8a30e3741fec51495953a6ca9e7fd81f0064445314e85853bdb76f775420e48300a65235555ce644cfeccc27b4c778b

Download Submit
C:\Program Files\PDF24\Settings.dll

Filesize
91KB

MD5
f7a855ddd86c34c55286ed07e7732650

SHA1
5a8b07d0135c11b5b2185199dfc917352cc0f5bc

SHA256
68119afbaf4217aacaa8b2479497707847bf2d06637be82a07c82f433240168c

SHA512
35a2f4919ff326ba5e715257570a2c43e8a30e3741fec51495953a6ca9e7fd81f0064445314e85853bdb76f775420e48300a65235555ce644cfeccc27b4c778b

Download Submit
C:\Program Files\PDF24\Settings.dll

Filesize
91KB

MD5
f7a855ddd86c34c55286ed07e7732650

SHA1
5a8b07d0135c11b5b2185199dfc917352cc0f5bc

SHA256
68119afbaf4217aacaa8b2479497707847bf2d06637be82a07c82f433240168c

SHA512
35a2f4919ff326ba5e715257570a2c43e8a30e3741fec51495953a6ca9e7fd81f0064445314e85853bdb76f775420e48300a65235555ce644cfeccc27b4c778b

Download Submit
C:\Program Files\PDF24\Settings.dll

Filesize
91KB

MD5
f7a855ddd86c34c55286ed07e7732650

SHA1
5a8b07d0135c11b5b2185199dfc917352cc0f5bc

SHA256
68119afbaf4217aacaa8b2479497707847bf2d06637be82a07c82f433240168c

SHA512
35a2f4919ff326ba5e715257570a2c43e8a30e3741fec51495953a6ca9e7fd81f0064445314e85853bdb76f775420e48300a65235555ce644cfeccc27b4c778b

Download Submit
C:\Program Files\PDF24\Settings.dll

Filesize
91KB

MD5
f7a855ddd86c34c55286ed07e7732650

SHA1
5a8b07d0135c11b5b2185199dfc917352cc0f5bc

SHA256
68119afbaf4217aacaa8b2479497707847bf2d06637be82a07c82f433240168c

SHA512
35a2f4919ff326ba5e715257570a2c43e8a30e3741fec51495953a6ca9e7fd81f0064445314e85853bdb76f775420e48300a65235555ce644cfeccc27b4c778b

Download Submit
C:\Program Files\PDF24\Settings.dll

Filesize
91KB

MD5
f7a855ddd86c34c55286ed07e7732650

SHA1
5a8b07d0135c11b5b2185199dfc917352cc0f5bc

SHA256
68119afbaf4217aacaa8b2479497707847bf2d06637be82a07c82f433240168c

SHA512
35a2f4919ff326ba5e715257570a2c43e8a30e3741fec51495953a6ca9e7fd81f0064445314e85853bdb76f775420e48300a65235555ce644cfeccc27b4c778b

Download Submit
C:\Program Files\PDF24\Settings.dll

Filesize
91KB

MD5
f7a855ddd86c34c55286ed07e7732650

SHA1
5a8b07d0135c11b5b2185199dfc917352cc0f5bc

SHA256
68119afbaf4217aacaa8b2479497707847bf2d06637be82a07c82f433240168c

SHA512
35a2f4919ff326ba5e715257570a2c43e8a30e3741fec51495953a6ca9e7fd81f0064445314e85853bdb76f775420e48300a65235555ce644cfeccc27b4c778b

Download Submit
C:\Program Files\PDF24\ShellExt.dll

Filesize
224KB

MD5
8aa2962589c534a7ca3a4fca910f40e9

SHA1
18d150a192d5a11d46c2923f41b9101e622e9e58

SHA256
a0ec96dfd6480ec35955179c9c80113a1f2eebb43ae91e13ab4594e41737abdb

SHA512
509035f84e41532af05fdad58271f1b184607472581f8e9f71185ee098e975e60bddffef753417db43a9d8f78e5e70850ea86f2a0441dcfa89eaec05956f2d58

Download Submit
C:\Program Files\PDF24\ShellExt.dll

Filesize
224KB

MD5
8aa2962589c534a7ca3a4fca910f40e9

SHA1
18d150a192d5a11d46c2923f41b9101e622e9e58

SHA256
a0ec96dfd6480ec35955179c9c80113a1f2eebb43ae91e13ab4594e41737abdb

SHA512
509035f84e41532af05fdad58271f1b184607472581f8e9f71185ee098e975e60bddffef753417db43a9d8f78e5e70850ea86f2a0441dcfa89eaec05956f2d58

Download Submit
C:\Program Files\PDF24\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\VCRUNTIME140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Program Files\PDF24\is-99OCO.tmp

Filesize
43KB

MD5
e479987c72f70df3a5dddef868c3b028

SHA1
e5f0f4143ba9b50eb3df1eae3bb0b2188fc6f513

SHA256
aefdbc975c28ca0244fb912e43db69dda14b1fac46604bb5c1c41caeb3d01604

SHA512
7f01e082d8bc7fa9bba2db78333758b3a3d3bbe099cf149a124070770bca2ec2e39409ef8176e18464ed7048c3cc87afb2892b6905248e34412667bac1c46a6b

Download Submit
C:\Program Files\PDF24\jre\legal\java.logging\is-DPQ1J.tmp

Filesize
49B

MD5
19c9d1d2aad61ce9cb8fb7f20ef1ca98

SHA1
2db86ab706d9b73feeb51a904be03b63bee92baf

SHA256
ebf9777bd307ed789ceabf282a9aca168c391c7f48e15a60939352efb3ea33f9

SHA512
7ec63b59d8f87a42689f544c2e8e7700da5d8720b37b41216cbd1372c47b1bc3b892020f0dd3a44a05f2a7c07471ff484e4165427f1a9cad0d2393840cd94e5b

Download Submit
C:\Program Files\PDF24\jre\legal\java.logging\is-GULOJ.tmp

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Program Files\PDF24\jre\legal\java.logging\is-N58F7.tmp

Filesize
44B

MD5
7caf4cdbb99569deb047c20f1aad47c4

SHA1
24e7497426d27fe3c17774242883ccbed8f54b4d

SHA256
b998cda101e5a1ebcfb5ff9cddd76ed43a2f2169676592d428b7c0d780665f2a

SHA512
a1435e6f1e4e9285476a0e7bc3b4f645bbafb01b41798a2450390e16b18b242531f346373e01d568f6cc052932a3256e491a65e8b94b118069853f2b0c8cd619

Download Submit
C:\Program Files\PDF24\lib\wx\i18n\is-J1DUR.tmp

Filesize
150KB

MD5
b27fdf26c00f2ed421de4ecaa0852612

SHA1
ac7710400503f12e32a47f0a246df35ef1737ccc

SHA256
47f61726415cf53bba58dec06ff17d53900532e8f90eb08508afd0306ad8ea2b

SHA512
1a174526d8f72f7378975dc2a783b38aa38a5f505c91553ae8ff69f6d2f606a4d8d2bd5672baa7ca0f455489eed7dbde342d106a2d1b0c10a6f9c0e68a482c74

Download Submit
C:\Program Files\PDF24\lib\wx\i18n\is-K0RCN.tmp

Filesize
147KB

MD5
c71469793562d997769a7b3f04d3b440

SHA1
3771b90e89e10591c1ab27d2f9d5716df89f00d3

SHA256
5abef6af4c4452adc1d93105683aa13350ecc893f73151d02ca757d47ecef0a1

SHA512
7393528d8d060ebd59e3856e5c22474a6b896037e3050e0c7e43520164ebd3fbd434e73697fffe29e9a0448d47056d171672728669cac96c8d2adfb476f2e4c3

Download Submit
C:\Program Files\PDF24\lib\wx\i18n\is-USRJC.tmp

Filesize
169KB

MD5
86ae1d9e881f46c6c1a7cc958e075127

SHA1
84dcf13d19642689ef7af668488b63520c12a144

SHA256
819a1aeeaf406e58137ee5de6c992911612cf8ca45f1d83b78a60afd7c8a80fb

SHA512
5cd035b161a37f49dfe9b2ad274071abbbf26b7c2e8d781e3c61b76eccf5aeace2ed051e72d2b7f0ec476f72087b59e5a3d874703195807d2093ceed2824b7fc

Download Submit
C:\Program Files\PDF24\licenses\is-MJTON.tmp

Filesize
11KB

MD5
3b83ef96387f14655fc854ddc3c6bd57

SHA1
2b8b815229aa8a61e483fb4ba0588b8b6c491890

SHA256
cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30

SHA512
98f6b79b778f7b0a15415bd750c3a8a097d650511cb4ec8115188e115c47053fe700f578895c097051c9bc3dfb6197c2b13a15de203273e1a3218884f86e90e8

Download Submit
C:\Program Files\PDF24\msvcp140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\PDF24\msvcp140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\PDF24\msvcp140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\PDF24\msvcp140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\PDF24\msvcp140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\PDF24\msvcp140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\PDF24\msvcp140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\PDF24\msvcp140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Program Files\PDF24\pdf24-PrinterInstall.exe

Filesize
314KB

MD5
d20bad7ba4923c85c6dacf89047093dc

SHA1
307732c96dae1866d69e69c0720a994baff531d2

SHA256
43766629d6939b0a9aedc2f7c36db7055d0e307ed7fc6d63a493d48a130d609d

SHA512
2c2ac310a29cc51f1a6236122a60a00faf74c54c683cc5e9ad48e4cb894f1f4d380121c5cffe4b0e6079c0b31d2a1c120fa37614a6768d96482addbbde65b597

Download Submit
C:\Program Files\PDF24\pdf24-PrinterInstall.exe

Filesize
314KB

MD5
d20bad7ba4923c85c6dacf89047093dc

SHA1
307732c96dae1866d69e69c0720a994baff531d2

SHA256
43766629d6939b0a9aedc2f7c36db7055d0e307ed7fc6d63a493d48a130d609d

SHA512
2c2ac310a29cc51f1a6236122a60a00faf74c54c683cc5e9ad48e4cb894f1f4d380121c5cffe4b0e6079c0b31d2a1c120fa37614a6768d96482addbbde65b597

Download Submit
C:\Program Files\PDF24\pdf24-PrinterInstall.exe

Filesize
314KB

MD5
d20bad7ba4923c85c6dacf89047093dc

SHA1
307732c96dae1866d69e69c0720a994baff531d2

SHA256
43766629d6939b0a9aedc2f7c36db7055d0e307ed7fc6d63a493d48a130d609d

SHA512
2c2ac310a29cc51f1a6236122a60a00faf74c54c683cc5e9ad48e4cb894f1f4d380121c5cffe4b0e6079c0b31d2a1c120fa37614a6768d96482addbbde65b597

Download Submit
C:\Program Files\PDF24\pdf24-PrinterInstall.exe

Filesize
314KB

MD5
d20bad7ba4923c85c6dacf89047093dc

SHA1
307732c96dae1866d69e69c0720a994baff531d2

SHA256
43766629d6939b0a9aedc2f7c36db7055d0e307ed7fc6d63a493d48a130d609d

SHA512
2c2ac310a29cc51f1a6236122a60a00faf74c54c683cc5e9ad48e4cb894f1f4d380121c5cffe4b0e6079c0b31d2a1c120fa37614a6768d96482addbbde65b597

Download Submit
C:\Program Files\PDF24\pdf24-Toolbox.exe

Filesize
1.1MB

MD5
e439a0a33922a2249f708d6e692b2422

SHA1
294356d6e572200365b8bfb91dcd8459e042d1a7

SHA256
444b8f0ce584a2d51096e2072e48f6ba409a94ab5364a0720a085bfd8d98b1d8

SHA512
91abd21f05881b167a8ae1495dca24b8c13228aa3febab390045d705f807d16c1ba5941f5dfda5567ea489ab72307af8267ced822e5f84524befa66ae9ab1a7c

Download Submit
C:\Program Files\PDF24\pdf24.exe

Filesize
600KB

MD5
a38ee478855119c79b481271d972cc6b

SHA1
ec3f6e313ffa09896dc15be9ecf88863d98c1942

SHA256
5683de1904982ba8cd50e57a67fbc397fc6b7c36dde83ae527a04e0ebe26f069

SHA512
e7a722b08b6a9b5b03be3f1d7b20dee36825222cbc2687d1c74d4cb363fb0b991c2fc429312ba7e03fd937e81fbdfa307db61fea25a7bd9c190d1e3d34edbcae

Download Submit
C:\Program Files\PDF24\pdf24.exe

Filesize
600KB

MD5
a38ee478855119c79b481271d972cc6b

SHA1
ec3f6e313ffa09896dc15be9ecf88863d98c1942

SHA256
5683de1904982ba8cd50e57a67fbc397fc6b7c36dde83ae527a04e0ebe26f069

SHA512
e7a722b08b6a9b5b03be3f1d7b20dee36825222cbc2687d1c74d4cb363fb0b991c2fc429312ba7e03fd937e81fbdfa307db61fea25a7bd9c190d1e3d34edbcae

Download Submit
C:\Program Files\PDF24\pdf24.exe

Filesize
600KB

MD5
a38ee478855119c79b481271d972cc6b

SHA1
ec3f6e313ffa09896dc15be9ecf88863d98c1942

SHA256
5683de1904982ba8cd50e57a67fbc397fc6b7c36dde83ae527a04e0ebe26f069

SHA512
e7a722b08b6a9b5b03be3f1d7b20dee36825222cbc2687d1c74d4cb363fb0b991c2fc429312ba7e03fd937e81fbdfa307db61fea25a7bd9c190d1e3d34edbcae

Download Submit
C:\Program Files\PDF24\pdf24.exe

Filesize
600KB

MD5
a38ee478855119c79b481271d972cc6b

SHA1
ec3f6e313ffa09896dc15be9ecf88863d98c1942

SHA256
5683de1904982ba8cd50e57a67fbc397fc6b7c36dde83ae527a04e0ebe26f069

SHA512
e7a722b08b6a9b5b03be3f1d7b20dee36825222cbc2687d1c74d4cb363fb0b991c2fc429312ba7e03fd937e81fbdfa307db61fea25a7bd9c190d1e3d34edbcae

Download Submit
C:\Program Files\PDF24\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Program Files\PDF24\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Program Files\PDF24\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Program Files\PDF24\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Program Files\PDF24\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Program Files\PDF24\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Program Files\PDF24\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Program Files\PDF24\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed9cfbe2b6990431cadc59eee86c6000

SHA1
cb656fb2480b9f2869949be67cbd662d635bf5fe

SHA256
3b7a8f91da1d21e3a6967f49eab6e6e2c187b12c5fe06669ed3d0f9068128f69

SHA512
32b4181083628ed6d5d18ca56c6b79ff8685d8f18cc598f96b64a9070bccf4d466e79b3c5a56d03c265ea303bcc0b76dc1992d725303b0126667b8b93cd87d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e479233da77016935baabcddd19fdd3d

SHA1
d09799ad7a9cb76c66dbdcb02a2824676d676b0c

SHA256
3a2196aa6d57fe0af58a13f3a73bc8e65b9a118863d7ed26beaf6616128f8575

SHA512
9e5a63eecf7aa6ded9f02be9bec7a561c092ca7e33c1ecb722bb5763719a0adff9976d75ac1e1b8a634656147b304ae9451bcf4bd417550e8081e5d57e22c33c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
22c541f93fbf01f0e6d522c441279424

SHA1
15beb6e7265bce2b1e284bd58d761cedec4e6508

SHA256
469e41020566b459bb1a531b2238d0cdc8f3023f4ebe334d36113e9206430ae4

SHA512
f366b0cc9c793f42f2a4081f70dab3fecb3fba60cb4bb7853b6a7ae773174f2210a23b7741064c9b468472115eb7eaa3a827b5c4d52e0d984358e8e9e4b7379d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
b524205bd8e39315ea364baee4e19e6f

SHA1
3653f372ff38fefa77eff5fe34e0c0ce5b04deac

SHA256
7544f03b7ab94cd48d89698578c052e6fb36442b4fe04a248ace812ea21c5a05

SHA512
742869e028e2885f376c60f9cdfc3e2a57e7589866f40227cb6d41bb79130c84f02f17fe1925cfcc617d803eb8b0e7406cb63d83617cc910b585f01ea236673c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
f99f2b01c53fbb97764c6e68ed08504e

SHA1
9a67aeb3d7349441f000d5df580800e5afefbb43

SHA256
c20703974f54573da1fdbb17f7bf52393963c0a85946571bd0b9891ed0b41e50

SHA512
6ac606cdcc7183e94c92901c01a2af296bb19c363b2e7a2c79c157c504bf1d95a9d77f2df549afcc7e446acc568b986329c062590684d5c5b02f03f86963aef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
92dcea54ae3a78813764371bc9e92de0

SHA1
d171eec17fdfb1f6b0a95f146be61787f33abdec

SHA256
4f4b6e661c13914b80b9960f86984a64bd7c4090139adcdee0ad64a12f6a7430

SHA512
85d6c81370aece888e7763467e706e255be7588325c6da207d2200d198db9927c608f24d04f1366de0c037e558d804ffb5c38f9400b85328ae0af6de9b3a4645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
b0bce057fcc43d233954a58e096453ab

SHA1
917291160c4c3388b72ecfb6647a1c6f72e5e008

SHA256
53ffb19cbaeff3ece5f85dd495e5c61a5c7b43c7a467aaba395b5e967a232ca9

SHA512
4f7fdc74248f47cac8e8a2aac432d3e85dcd414aed04b5f24ba13ef27f0cec72c1b0c1feabcebb11694828e12d7a9bdaf86d1a9a69d6c4f2c8c6ca44c9b4994d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4e74e1d52f2578a3783d4b80dcbc2c9e

SHA1
e75138dddae9271e9215139362353eb6bc0df8ef

SHA256
4890184572a7c720e711be89525656fa29edcb0fef303962cc82c65c5d198ce4

SHA512
e4a4079515292e368f107f9d6e58cb23fba7c869716e111d45dac4c83f3665b839393422f72ffb077d990e48e6a9ca420ad4135f00a12ad8fc5146603ad8d20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
69d307718f34b592e60e70a51f46a1d2

SHA1
d8136118e4f3dc1f33a6d9fa4b4bb75db9f08813

SHA256
3ca99c920015b82a53ee72db28a46ab94e84d4eac5b695164dac03ca761dc746

SHA512
930f4e266e025cad5a3253b129908d4b2a510dfa543dcc26238fba3b53e27945612a5a70eb98e2a30938ece14226f71be465db12aae349a7fa5d6a05c38204fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c7e3ef66babd460268e7ff8846ad5392

SHA1
1f1df8f52b64d8faf6e7408e37b427828ffa1bc0

SHA256
18adc63cb792f32e070a5ed545bb177e7b8f76d51b877418f487275bc5173941

SHA512
8f768d6190236946db40e647c05c1cc52249c20cd6b3490f2d5114ffe86a542a3e2f27612e6c0486234af8235c7f7f709de37023e5b65503fa97ddc7ac251aa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f1e05306f1cdc82fba51a674a801a193

SHA1
819e8799911cd6aebacd0d90ce28538e5c4edd5c

SHA256
f78d41f65b348543bbc3b8b64e1723fce63adcfcdf9fb8eb015bb1a70ef01813

SHA512
8a46e69ba3c5d81ed63c91b41e28a7941ae878fbb5117d9902484c519e096aab3943c8e5e635b5e5ba8f36e90328559ecbab36e450d754261c1e94073f2fc74f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\592e80864ea5b6c6ed88dea990d736b895ab06a2\5a3a31c0-a68d-4e67-a1c9-000d2be28402\index-dir\the-real-index

Filesize
72B

MD5
b193e20699d157b2b4c78dba5b7bcbcf

SHA1
51abd4ef5beda1b116e6b13198343650e03a8398

SHA256
791f22554247229a36225151d753a193a3f22e673aaef53d54f66b7e0533a6de

SHA512
553717db22eae8a2045d3deb81d01cfb983a9ea3f8e5242ccd21451839521e8b397d65886c7aa6f8d64778b49d530097ac75b742f177df46754367e07e46f1c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\592e80864ea5b6c6ed88dea990d736b895ab06a2\5a3a31c0-a68d-4e67-a1c9-000d2be28402\index-dir\the-real-index~RFe591fe2.TMP

Filesize
48B

MD5
bc4bfef7b716c78cb266a9687454d941

SHA1
21e7f667a9e2620206c1424a1a6253e919f32f0c

SHA256
1df62969c5741df3fa59064573b3d3619b545fc38563865c02101aa3048518ce

SHA512
562acb23f6b67475df14d152fa34eb812fc50e0a28f1afa1ed97055360aff345983efab0a9368dbd3ff7bd0d301796531c31f47a90c0aed76ede3be7c38a651e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\592e80864ea5b6c6ed88dea990d736b895ab06a2\index.txt

Filesize
95B

MD5
785379d8c2f7a00bf4ac220bfda58b24

SHA1
dd50ee1302b87f007a5c5b0425ae5b2bccce660a

SHA256
d8dc3292597378b39fd46dea676bdc9df18e0095a839cb66232fad2b8442f924

SHA512
fca0a734ddf58ffe2dfc75ee4ce1f7ed8b62ebec62a263cf0214d763291554903393a151ac67536ce0fb2e914606f5eb66c70d251f554493f8b755fc3969807c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\592e80864ea5b6c6ed88dea990d736b895ab06a2\index.txt

Filesize
89B

MD5
c112d0280861e7b04abc1995ab4a3802

SHA1
82ccec0011f614f22a9f47c33ee517380925178c

SHA256
4d688f209b0dfb7b3a40148c8c065e364dd6410cdd227e9c630f8f66b49ac36a

SHA512
4e089db9aa5d23a5ad50189b1a637b6c9beb30dc98bc9df162f08bcfe1652ef31bcacb88fb4992ac75bf7acaa9e9c352fa3dd48eb08f186047953e2a9722e52d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
62ce7422d54d8c1fad4446c45332eb03

SHA1
2f6ed16407de9235c6bebc8eaae40970fc1bd954

SHA256
9ccf18bf00877381f6fa4674c982100598c0a7438daf3a2f33fe8e093de5ee52

SHA512
b5ff71e901db6a40c136300ab47bb799d4e1269ba7fae4a4b1d98e5e8b3ccf66bb81b3d53afe64990fc04258f76cb8b32c3b23c4de3bf15eabac68bf285602ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591fd3.TMP

Filesize
48B

MD5
3e2327dcd0f19588a7e8263a4e7a2152

SHA1
f7d3875a4acb032e428973d7d1ab29b03d93d92d

SHA256
6f5fa5b14e820c655dfaa8f16592d96a1577ad0928137a7ec034bb4c85b59b10

SHA512
c3aa1c2212e16a3f525efa3b8876806ac9982297d684916c3748ecb0889bb22cf69bad8edb0927e5757e6b8e6f5aafb336f1ac41f7184bbf4c1cea9e3c833fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
a9ae5a8a8644d5efa7a880b60ce42297

SHA1
4dfa5464a4b2cf6fd09a94f940639d7224cfe051

SHA256
ab56231edf202c0133e07bf21548111967a2b9cbce17f1e8d68757f2ea59483f

SHA512
627689dee23e5847333cb6b3e09698aeab6f42a97d84f7c53f52fc75bfd541a1a66a19ba1aa5dd9123102942e910ed8a21197e5cdd2809824cbd16c2e62731aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59208e.TMP

Filesize
372B

MD5
036cf70138facc117a25731f1ddb72e0

SHA1
ed4c38305112ebbe1e16d4fed1b1e02d47b87bb9

SHA256
c8b881613d56e0b3fc7d5f2cdb9e81347e487f73079b3048baf3d606ad61f003

SHA512
5d7b8fbc4694e8318009c904a8cc50a41fcc8053fc4e497a359478845b18fe372048d6a74aad364cbb376c3e25259fe2eb25caef6042c22f33d18395fd1d72ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
4db4b94e5e64ee1cca6a1b44938a34e5

SHA1
b00506b05be1b13a0266f6c9e9db5195910cbed8

SHA256
443dba1cd90fc012155f62335cb9177f5f61cc21a360511206f8a3ab4c7bb9f4

SHA512
b32c0cb0728310f822609884330f7d5410d9c5cc60c587a48f0524ed381b6fc82e3520c3106b29d593d68a07b4b0615aeda04c7f467d5bbe61070d6c257b0ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
b74bddf3778f17237c99d16e887b72d5

SHA1
145c0bc7675e0d5cce8b053809f4d80fa42523f9

SHA256
79817f9d7cf907415251cb7a4da96bc2c2b87abc47a80a9cc4c530e4fcc58434

SHA512
2ab5b26d1ff023752ab068eb6cb35e76a60cccf74c05fb3b5aa444681237263466da0a2c0662688318ea965bf74f52008f33faff1113240dd8e7c1f496d166c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDF24\0_240695078_2405730838\pdf24.ppd

Filesize
21KB

MD5
27989eb65abf3920df8ebea3189a616e

SHA1
508027a760d2e47e14b4ada99d9965bad6e70f6e

SHA256
9a3916b3f6d07d6b1521fd6dd2e73a8291933a9686a33d24f74951fb48219859

SHA512
e977715c3ea4caf2df283e534cb3e9803e8c25269d3c1efb5845ba41d5cce3d5dad357f19adf213feb1a5c0c30af380b6d8abbdf3f704d673316c36a9373620f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TTCBD.tmp\pdf24-creator-11.13.1-x64.tmp

Filesize
3.1MB

MD5
e33e4401fbeba1becbc3d8e79a7a8536

SHA1
b824d24ee396758776bb103024493484f8df211f

SHA256
bec0b11d741b54dd9a37cb492ffb2cb05f3da9bba7febaf1f0aa71f374b4f087

SHA512
37fcc4031d612c372a4db9eca2d1a54eff57152848e49d7c95276c4be897c385d11a6256ad9c89f708ce2ccd8da3e9d5c1bff77742180e8d030efe87693896a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TTCBD.tmp\pdf24-creator-11.13.1-x64.tmp

Filesize
3.1MB

MD5
e33e4401fbeba1becbc3d8e79a7a8536

SHA1
b824d24ee396758776bb103024493484f8df211f

SHA256
bec0b11d741b54dd9a37cb492ffb2cb05f3da9bba7febaf1f0aa71f374b4f087

SHA512
37fcc4031d612c372a4db9eca2d1a54eff57152848e49d7c95276c4be897c385d11a6256ad9c89f708ce2ccd8da3e9d5c1bff77742180e8d030efe87693896a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
9bfbfb594262cde355cbd79c413bdb0b

SHA1
799420a0ff7349e9c07b397ae62829bb11b3fdae

SHA256
253987df46988bc6b2f02258c161d0d5a6616f690061d3357635ef13e26ff346

SHA512
24a47fc58ebb89c4e6f0e0778ff2a5645613149d81f88fa8d7fc2b03fb501b9de5f957eb49cabce17b2adadcbc373f5e84d4951f8463bb7135ae5d31a0b7f4dd

Download Submit
memory/1704-535-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-2749-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-3170-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-143-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1704-2888-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-2814-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-2811-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-3258-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-1520-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-1290-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-140-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1704-3225-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-355-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-145-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1704-142-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/1856-306-0x000001AA6A5A0000-0x000001AA6A5A1000-memory.dmp

Filesize
4KB

Download
memory/1856-307-0x000001AA6A5A0000-0x000001AA6A5A1000-memory.dmp

Filesize
4KB

Download
memory/1856-344-0x000001AA6A5A0000-0x000001AA6A5A1000-memory.dmp

Filesize
4KB

Download
memory/1856-317-0x000001AA6A5A0000-0x000001AA6A5A1000-memory.dmp

Filesize
4KB

Download
memory/1856-340-0x000001AA6A5A0000-0x000001AA6A5A1000-memory.dmp

Filesize
4KB

Download
memory/1856-328-0x000001AA6A5A0000-0x000001AA6A5A1000-memory.dmp

Filesize
4KB

Download
memory/1856-312-0x000001AA6A5A0000-0x000001AA6A5A1000-memory.dmp

Filesize
4KB

Download
memory/1856-308-0x000001AA6A5A0000-0x000001AA6A5A1000-memory.dmp

Filesize
4KB

Download
memory/1856-341-0x000001AA6A5A0000-0x000001AA6A5A1000-memory.dmp

Filesize
4KB

Download
memory/1856-339-0x000001AA6A5A0000-0x000001AA6A5A1000-memory.dmp

Filesize
4KB

Download
memory/3584-3312-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3584-133-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3584-141-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4484-3690-0x0000000003530000-0x0000000004BA7000-memory.dmp

Filesize
22.5MB

Download