Malware Analysis Report

2024-11-30 19:04

Sample ID 240308-f3gsqaha6y
Target https://extra-ram.soft112.com/
Tags
agilenet discovery evasion persistence themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

Threat Level: Likely malicious

The file https://extra-ram.soft112.com/ was found to be: Likely malicious.

Malicious Activity Summary

agilenet discovery evasion persistence themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Registers new Print Monitor

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Registers COM server for autorun

Checks computer location settings

Loads dropped DLL

Themida packer

Checks BIOS information in registry

Checks installed software on the system

Enumerates connected drives

Blocklisted process makes network request

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies registry class

Modifies data under HKEY_USERS

Creates scheduled task(s)

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-08 05:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-08 05:23

Reported

2024-03-08 05:28

Platform

win10v2004-20240226-en

Max time kernel

300s

Max time network

301s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://extra-ram.soft112.com/

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\Package Cache\WindowsDriverRestrictionsPackageId11.9.444\WindowsDriverRestrictions.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A

Downloads MZ/PE file

Registers new Print Monitor

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\novaPDF 11 Port Monitor\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\novaPDF 11 Port Monitor C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\novaPDF 11 Port Monitor\Driver = "novamn11.dll" C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\novaPDF 11 Port Monitor C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\novaPDF 11 Port Monitor\Ports C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\novaPDF 11 Port Monitor\Ports\novaPDF11 C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP C:\Windows\System32\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Package Cache\WindowsDriverRestrictionsPackageId11.9.444\WindowsDriverRestrictions.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Package Cache\WindowsDriverRestrictionsPackageId11.9.444\WindowsDriverRestrictions.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{45DE6611-DFD3-47FB-A6EA-6C8176793ABC}\.cr\novapdf-full.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{45DE6611-DFD3-47FB-A6EA-6C8176793ABC}\.cr\novapdf-full.exe N/A
N/A N/A C:\Windows\Temp\{45DE6611-DFD3-47FB-A6EA-6C8176793ABC}\.cr\novapdf-full.exe N/A
N/A N/A C:\Windows\Temp\{45DE6611-DFD3-47FB-A6EA-6C8176793ABC}\.cr\novapdf-full.exe N/A
N/A N/A C:\Windows\Temp\{45DE6611-DFD3-47FB-A6EA-6C8176793ABC}\.cr\novapdf-full.exe N/A
N/A N/A C:\Windows\Temp\{45DE6611-DFD3-47FB-A6EA-6C8176793ABC}\.cr\novapdf-full.exe N/A
N/A N/A C:\ProgramData\Package Cache\WindowsDriverRestrictionsPackageId11.9.444\WindowsDriverRestrictions.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\spoolsv.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\spoolsv.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8E39E094-CD29-467C-8182-F1370C5AAEA1}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8E39E094-CD29-467C-8182-F1370C5AAEA1}\InprocServer32\ = "C:\\Program Files\\Softland\\Office Add-In 11\\NovaPDFOfficeAddIn64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8E39E094-CD29-467C-8182-F1370C5AAEA1}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59DBA-28F9-43D8-B315-82674615CCA4}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59DBA-28F9-43D8-B315-82674615CCA4}\InprocServer32\ = "C:\\Program Files\\Softland\\novaPDF 11\\SDK\\Lib\\x64\\novapi11.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59DBA-28F9-43D8-B315-82674615CCA4}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{a88d9422-a03b-44c9-b31a-c3a1cb041aa1} = "\"C:\\ProgramData\\Package Cache\\{a88d9422-a03b-44c9-b31a-c3a1cb041aa1}\\novapdf.exe\" /burn.runonce" C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.be\novapdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\novaPDF 11 nPdf_Softland Tray = "C:\\Program Files\\Softland\\novaPDF 11\\Driver\\Tray.exe /oem=nPdf_Softland" C:\Windows\system32\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Temp\{45DE6611-DFD3-47FB-A6EA-6C8176793ABC}\.cr\novapdf-full.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\ProgramData\Package Cache\WindowsDriverRestrictionsPackageId11.9.444\WindowsDriverRestrictions.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\SETE41C.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaem11.exe C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDAA8.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDAA8.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDAB9.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\nova11X86.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\SETE42C.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novasv11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDAD9.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_amd64_05761108a7bd5263\amd64\novacl11.exe C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_x86_05761108a7bd5263\i386\novaem11.exe C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\nova11.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDA65.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaem11.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\SETE42F.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDA76.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_amd64_05761108a7bd5263\nova11X64.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_amd64_05761108a7bd5263\nova11.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaim11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novasv11.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\SETDAE9.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_x86_05761108a7bd5263\i386\novaem11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDA55.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novacl11.exe C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDA97.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\SETDAE9.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\SETE42D.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDA76.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDA87.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDA97.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaemex11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_x86_05761108a7bd5263\i386\novaui11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novapr11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\nova11X64.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\SETE42D.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_x86_05761108a7bd5263\i386\novapr11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_amd64_05761108a7bd5263\amd64\novaem11.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\SETE41B.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_x86_05761108a7bd5263\i386\novaemex11.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\SETE419.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_x86_05761108a7bd5263\nova11.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDA87.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novaui11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novaemex11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\SETDAFA.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDA44.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDAB9.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\SETE41A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_x86_05761108a7bd5263\i386\novasv11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\SETE42E.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_amd64_05761108a7bd5263\amd64\novaemex11.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaemex11.exe C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\SETE42C.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_x86_05761108a7bd5263\i386\novaemex11.exe C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novaem11.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\SETDA65.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nova11.inf_amd64_05761108a7bd5263\amd64\novaem11.exe C:\Windows\system32\DrvInst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Softland\novaPDF 11\Driver\da\WAFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\Office Add-In 11\NovaPDFUtils.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\es\DeactivationClientLibrary.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\ko\NovaPDFUtils.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\id\WAFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\PrinterManager.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\it\Monitor.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\ko\Monitor.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\zh-CN\DeactivationClientLibrary.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\fi\NovaPDFComponent.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\my\CustomControls.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\ko\DeactivationClientLibrary.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\Hardcodet.Wpf.TaskbarNotification.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\ru\Monitor.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\Office Add-In 11\en\NovaPDFUtils.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\Office Add-In 11\NovaPDFOfficeAddIn86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\ro\CustomControls.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\bg\ActivationClientLibrary.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\Kit\data\novaLarge.bmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\Announcements.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\pt-BR\Monitor.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\my\PrinterManager.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\bg\CustomControls.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\el\CustomControls.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\tr\PrinterManager.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\bg\Startup.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\SharedResourceDictionary.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\pt-BR\WAFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\Monitor.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\ms\Monitor.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\Office Add-In 11\ServiceClient.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\es\ActivationClientLibrary.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\zh-CN\ProfileManager.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\it\DeactivationClientLibrary.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\ko\Tray.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\tr\WAFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\Google.Apis.PlatformServices.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\Microsoft.WindowsAPICodePack.Shell.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\pt-BR\LayoutEditor.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\Kit\amd64\novapr11.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\Kit\i386\novaem11.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\ne\PrinterManager.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\OAuthGmail.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\da\NovaPDFComponent.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\fi\NovaPDFUtils.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\CryptUtil.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\ko\CustomControls.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\Kit\amd64\novasv11.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\Kit\i386\novaemex11.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\tr\StartupDo.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\el\UpdateApplication.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\Office Add-In 11\ServiceClient.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\de\DeactivationClientLibrary.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\Telemetry.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\es\LayoutEditor.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\ms\NovaPDFUtils.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\zh-CN\DeactivationClientLibrary.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\id\Tray.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\my\ActivationClientLibrary.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\fi\CustomControls.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\Microsoft.Windows.Shell.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\NovaPDFComponent.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Softland\novaPDF 11\Tools\fi\WAFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Softland\novaPDF 11\Driver\ne\Tray.resources.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\SourceHash{3742ACB4-D095-4247-9A19-D1682A510ED2} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID816.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5a52c3.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5a52b9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI967F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAB8E.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIEC8B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA755.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB1D5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE9A4.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE9A4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF61A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5a52a5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{24C3CAC4-4442-429B-A90C-A09AF48291DE} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI815E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{526D78AB-571E-4FCF-B06E-31AA9C98C44F}\DoIcon.A8C9E50A_07B8_40BC_96C6_A0EC04F649A6.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5a52be.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC6F6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF61A.tmp-\ScheduledTasks.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\e5a52b8.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC8CE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{526D78AB-571E-4FCF-B06E-31AA9C98C44F}\NovaIcon.A8C9E50A_07B8_40BC_96C6_A0EC04F649A6.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAB8E.tmp-\ScheduledTasks.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\{526D78AB-571E-4FCF-B06E-31AA9C98C44F}\DoIcon.A8C9E50A_07B8_40BC_96C6_A0EC04F649A6.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF61A.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\e5a52aa.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAB8E.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI4F01.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIECF0.tmp-\ScheduledTasks.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSID0EB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIECF0.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF137.tmp-\ScheduledTasks.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF7A2.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\e5a52bd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICA1A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF137.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI71AC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC8EE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI59DA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6361.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6DF2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{0381A4C3-3B90-436E-8E69-15E4CDBDEC2D} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF61A.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\SourceHash{7CC4C9C8-2CD5-4EDF-94B8-7AFF868585C9} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5a52be.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI967F.tmp-\ScheduledTasks.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Installer\e5a52a5.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5a52ae.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5a52c7.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5a52b3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE9A4.tmp-\ScheduledTasks.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI8660.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC91E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICA3A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{673C8085-8235-42C6-B259-C2E1CF791C46} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIF7A2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5a52a9.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000db5049eb9f24a4820000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000db5049eb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900db5049eb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ddb5049eb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000db5049eb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002 C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002 C:\Windows\System32\spoolsv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\DoSave.exe = "99999" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98559284-163F-4F03-9698-04024FB46109}\AppName = "novacl11.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98559284-163F-4F03-9698-04024FB46109}\AppPath = "C:\\Windows\\System32\\spool\\drivers\\x64\\3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\StartupDo.exe = "99999" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PrinterManager.exe = "99999" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ActivationClient.exe = "99999" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Startup.exe = "99999" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Monitor.exe = "99999" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98559284-163F-4F03-9698-04024FB46109} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98559284-163F-4F03-9698-04024FB46109}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\UpdateApplication.exe = "99999" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Publisher\Addins\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\Description = "novaPDF Office AddIn 11" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices C:\Windows\System32\spoolsv.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Excel\Addins\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\CommandLineSafe = "0" C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Visio\Addins\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\LoadBehavior = "3" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Publisher\Addins\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\CommandLineSafe = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Word\Addins\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\PowerPoint\Addins\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\FriendlyName = "novaPDF Office AddIn 11" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\PowerPoint\Addins\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\LoadBehavior = "3" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Visio\Addins\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\Description = "novaPDF Office AddIn 11" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts C:\Windows\System32\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" C:\Windows\System32\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Softland\novaPDF 11 C:\Windows\system32\PrintIsolationHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Printers\ConvertUserDevModesCount\novaPDF 11 = "1" C:\Windows\System32\spoolsv.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Publisher\Addins\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\FriendlyName = "novaPDF Office AddIn 11" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5808C37653286C242B952C1EFC97C164\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59DBA-28F9-43D8-B315-82674615CCA4}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3FBEF950-5D60-45C0-BB82-F1BB156A6E70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E39E094-CD29-467C-8182-F1370C5AAEA1}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4BCA2473590D7424A9911D86A215E02D\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5808C37653286C242B952C1EFC97C164 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59DBA-28F9-43D8-B315-82674615CCA4}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59DBA-28F9-43D8-B315-82674615CCA4}\ProgID\ = "novapi11.NovaPdfOptions11.1" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3EA8DF2B910443B4494BFB0CD1349DD8\3C4A183009B3E634E896514EDCDBCED2 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA87D625E175FCF40BE613AAC9894CF4\PackageCode = "D2F85EF39BAA02042A5D7A06E0BAADF7" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\CurVer C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50F12C19-072E-45A7-B3A5-06F2F595FF74}\1.0\0\win64\ = "C:\\Program Files\\Softland\\Office Add-In 11\\NovaPDFOfficeAddIn64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0395-0000-0000-C000-000000000046}\TypeLib\Version = "1.0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{673C8085-8235-42C6-B259-C2E1CF791C46}\Dependents\{a88d9422-a03b-44c9-b31a-c3a1cb041aa1} C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.be\novapdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\novapi11.NovaPdfOptions11\CurVer C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4CAC3C422444B9249AC00AA94F2819ED\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59DBA-28F9-43D8-B315-82674615CCA4}\ProgID C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C4A183009B3E634E896514EDCDBCED2\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11.1\CLSID\ = "{8E39E094-CD29-467C-8182-F1370C5AAEA1}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50F12C19-072E-45A7-B3A5-06F2F595FF74}\1.0\HELPDIR C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8C9C4CC75DC2FDE4498BA7FF6858589C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C4A183009B3E634E896514EDCDBCED2\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\DriverPackageIdx64.11.9.444\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5808C37653286C242B952C1EFC97C164\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE00795294ECB204C8B078769A9CE2C4\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4CAC3C422444B9249AC00AA94F2819ED\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4CAC3C422444B9249AC00AA94F2819ED\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\novapi11.NovaPdfOptions11\ = "NovaPdfOptions11 Class" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA87D625E175FCF40BE613AAC9894CF4\ProductName = "novaPDF 11" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE00795294ECB204C8B078769A9CE2C4\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\NovaPDFToolsId11.9.444\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\novapi11.NovaPdfOptions11\CLSID\ = "{48E59DBA-28F9-43D8-B315-82674615CCA4}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE00795294ECB204C8B078769A9CE2C4\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\NovaPDFToolsId11.9.444\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA87D625E175FCF40BE613AAC9894CF4\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4BCA2473590D7424A9911D86A215E02D\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\OfficeAddInPackageId6411.9.444\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5808C37653286C242B952C1EFC97C164\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\OfficeAddInPackageId8611.9.444\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47B6DF9F-2D67-4D01-A5B0-A74A4B5B4807} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{0381A4C3-3B90-436E-8E69-15E4CDBDEC2D} C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.be\novapdf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4BCA2473590D7424A9911D86A215E02D\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5808C37653286C242B952C1EFC97C164\SourceList\Media\1 = "Disk1;" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{259700EE-CE49-402B-8C0B-8767A9C92E4C} C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.be\novapdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59DBA-28F9-43D8-B315-82674615CCA4}\ProgID C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4CAC3C422444B9249AC00AA94F2819ED C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{526D78AB-571E-4FCF-B06E-31AA9C98C44F} C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.be\novapdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\CLSID\ = "{8E39E094-CD29-467C-8182-F1370C5AAEA1}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FBEF950-5D60-45C0-BB82-F1BB156A6E70}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5808C37653286C242B952C1EFC97C164\SourceList\PackageName = "novaOfficeAddIn(x86).msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\novapi11.NovaPdfOptions11 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B19F8E54-9F5B-48A1-A07B-D1AD7AF94C1D}\b.0\0\win32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C4A183009B3E634E896514EDCDBCED2\PackageCode = "315F6A126046F804BABB20DC8674ED75" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0381A4C3-3B90-436E-8E69-15E4CDBDEC2D}\Dependents C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.be\novapdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{a88d9422-a03b-44c9-b31a-c3a1cb041aa1}\Dependents\{a88d9422-a03b-44c9-b31a-c3a1cb041aa1} C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.be\novapdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NovaPDFOfficeAddIn11.NovaPDFOfficeAddIn11\CLSID\ = "{8E39E094-CD29-467C-8182-F1370C5AAEA1}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C4A183009B3E634E896514EDCDBCED2\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4BCA2473590D7424A9911D86A215E02D C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE00795294ECB204C8B078769A9CE2C4\SourceList\PackageName = "novaPDF11Tools.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0395-0000-0000-C000-000000000046}\TypeLib\ = "{50F12C19-072E-45A7-B3A5-06F2F595FF74}" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA87D625E175FCF40BE613AAC9894CF4\Version = "185139644" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{47B6DF9F-2D67-4D01-A5B0-A74A4B5B4807}\TypeLib\ = "{B19F8E54-9F5B-48A1-A07B-D1AD7AF94C1D}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C4A183009B3E634E896514EDCDBCED2\ProgramFilesFeature = "Complete" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BA87D625E175FCF40BE613AAC9894CF4\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E39E094-CD29-467C-8182-F1370C5AAEA1}\VersionIndependentProgID C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{47B6DF9F-2D67-4D01-A5B0-A74A4B5B4807}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\novapi11.NovaPdfOptions11\ = "NovaPdfOptions11 Class" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59DBA-28F9-43D8-B315-82674615CCA4}\TypeLib\ = "{B19F8E54-9F5B-48A1-A07B-D1AD7AF94C1D}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B19F8E54-9F5B-48A1-A07B-D1AD7AF94C1D}\b.0\HELPDIR\ = "C:\\Program Files (x86)\\Softland\\novaPDF 11\\SDK\\Lib\\i386" C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 3908 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 2028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 2028 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4860 wrote to memory of 5020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://extra-ram.soft112.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2cdb9758,0x7ffb2cdb9768,0x7ffb2cdb9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4944 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3972 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5304 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5740 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=6024 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6012 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4720 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3988 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5528 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=824 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4860 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4984 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5096 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5548 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5540 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3036 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Users\Admin\Downloads\novapdf-full.exe

"C:\Users\Admin\Downloads\novapdf-full.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3060 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:8

C:\Windows\Temp\{45DE6611-DFD3-47FB-A6EA-6C8176793ABC}\.cr\novapdf-full.exe

"C:\Windows\Temp\{45DE6611-DFD3-47FB-A6EA-6C8176793ABC}\.cr\novapdf-full.exe" -burn.clean.room="C:\Users\Admin\Downloads\novapdf-full.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5004 --field-trial-handle=1976,i,6716031494705806081,16133089282622323152,131072 /prefetch:2

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.be\novapdf.exe

"C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.be\novapdf.exe" -q -burn.elevated BurnPipe.{EB245193-3419-4C28-ADE2-6CA510B3831D} {7132F718-1A28-41E8-BC7B-8957A11EB7AA} 912

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\ProgramData\Package Cache\WindowsDriverRestrictionsPackageId11.9.444\WindowsDriverRestrictions.exe

"C:\ProgramData\Package Cache\WindowsDriverRestrictionsPackageId11.9.444\WindowsDriverRestrictions.exe" /UILevel=4 /lv=C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052557_000_WindowsDriverRestrictions.log

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 337B46B5A167737A94CEC443C3A6FB9C

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Softland\Office Add-In 11\NovaPDFOfficeAddIn64.dll"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 80D1128E2A6E35EAC98310F28E16BD0D

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Softland\Office Add-In 11\NovaPDFOfficeAddIn86.dll"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1C16F6D74AB3ED87687622311348BE48

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 4FF5A0E809256A6C3DFB3D7A3396109F

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Softland\novaPDF 11\SDK\Lib\i386\novapi11.dll"

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 3C269095A9B209541C577DFBA15C674A

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Softland\novaPDF 11\SDK\Lib\x64\novapi11.dll"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C618F0CDA12FE321B2388C703EB10A8F

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI967F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240818078 12 ScheduledTasks!ScheduledTasks.CustomActions.CheckServiceStatusType

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIAB8E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240823234 20 ScheduledTasks!ScheduledTasks.CustomActions.CheckAccessControl

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding D94EC77604EBAF18ECF3CA8F234DFC61

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding EED4A359DEAFB40A55B189F1E2D95E08 E Global\MSI0000

C:\Windows\system32\rundll32.exe

rundll32 printui.dll,PrintUIEntry /ia /m "novaPDF 11" /K /h "x64" /v 3 /f "nova11.inf"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "c:\program files\softland\novapdf 11\driver\kit\nova11.inf" "9" "4ff4a86b7" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\program files\softland\novapdf 11\driver\kit"

C:\Windows\system32\PrintIsolationHost.exe

C:\Windows\system32\PrintIsolationHost.exe -Embedding

C:\Windows\system32\rundll32.exe

rundll32 printui.dll,PrintUIEntry /ia /m "novaPDF 11" /K /h "x86" /v 3 /f "nova11.inf"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "c:\program files\softland\novapdf 11\driver\kit\nova11.inf" "0" "4ff4a86b7" "000000000000015C" "WinSta0\Default" "000000000000010C" "208" "c:\program files\softland\novapdf 11\driver\kit"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding AE9E4797302091BE4577AB43544558AD E Global\MSI0000

C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe

"C:\Program Files\Softland\novaPDF 11\Server\novapdfs.exe"

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding DC0C85891512E9C393FB19CAC9247409

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding E5D37C9F9B9B93E1E781AD01F0281936 E Global\MSI0000

C:\Windows\system32\PrintIsolationHost.exe

C:\Windows\system32\PrintIsolationHost.exe -Embedding

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 087596ADC5598EA8C58AA96AF6CE2B4A

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIE9A4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240904796 131 ScheduledTasks!ScheduledTasks.CustomActions.CreateTask

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /xml C:\Users\Admin\AppData\Local\Temp\task.xml /tn "novaPDF 11 Update"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIECF0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240905421 136 ScheduledTasks!ScheduledTasks.CustomActions.CreateTask

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /xml C:\Users\Admin\AppData\Local\Temp\task.xml /tn "novaPDF 11 Telemetry"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3F4020FEC8CBF71F90A85EDF5CE29476 E Global\MSI0000

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIF137.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240906843 141 ScheduledTasks!ScheduledTasks.CustomActions.UpdateInstallDate

C:\Program Files\Softland\novaPDF 11\Driver\sqlite3.exe

"C:\Program Files\Softland\novaPDF 11\Driver\sqlite3.exe" "C:\ProgramData\Softland\novaPDF 11\nPdf_Softland\nPdf_Softland.mon" "insert or replace into Settings(Name, Value) values('InstallDate','08/03/2024 05:28:54');"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIF61A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240907781 150 ScheduledTasks!ScheduledTasks.CustomActions.TryAddDeleteFlag

C:\Program Files\Softland\novaPDF 11\Driver\sqlite3.exe

"C:\Program Files\Softland\novaPDF 11\Driver\sqlite3.exe" "C:\ProgramData\Softland\novaPDF 11\nPdf_Softland\nPdf_Softland.prf" "ALTER TABLE LicenseInfo ADD Deleted tinyint;"

C:\Program Files\Softland\novaPDF 11\Driver\sqlite3.exe

"C:\Program Files\Softland\novaPDF 11\Driver\sqlite3.exe" "C:\ProgramData\Softland\novaPDF 11\nPdf_Softland\nPdf_Softland.prf" "ALTER TABLE LicenseUserInfo ADD Deleted tinyint;"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIF7A2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240908156 159 ScheduledTasks!ScheduledTasks.CustomActions.TryAddDefaultOutlookEmail

C:\Program Files\Softland\novaPDF 11\Driver\sqlite3.exe

"C:\Program Files\Softland\novaPDF 11\Driver\sqlite3.exe" "C:\ProgramData\Softland\novaPDF 11\nPdf_Softland\nPdf_Softland.prf" "insert into preset (PKGuid, FKOwner, TypeGuid, IsProfile, IsPrivate, IsTemporary, Data, PresetName, Usage, LastSave, IsDefault, IsVendor, FileTimeLastSave) values ('723593af52a044bebdececb5209d2cae', 'e631aa7dd6bb489c8f25cfdb1b4fd367', 'd5e81884b4de4bf695213810a9b341f5','0','0','0','<?xml version=''1.0'' encoding=''utf-16''?><EmailOutlookPreset xmlns:xsd=''http://www.w3.org/2001/XMLSchema'' xmlns:xsi=''http://www.w3.org/2001/XMLSchema-instance''><IsRoot>false</IsRoot><IsPrivate>false</IsPrivate><IsTemporary>false</IsTemporary><IsDefault>false</IsDefault><Creator>Vendor</Creator><Metadata><Name>*EMAILOUTLOOKN-Save</Name><Description>*EMAILOUTLOOKD-Save</Description><Author>Softland</Author></Metadata><Id>723593af-52a0-44be-bdec-ecb5209d2cae</Id><Component>d5e81884-b4de-4bf6-9521-3810a9b341f5</Component><LastSaved>0001-01-01T00:00:00</LastSaved><Compress>false</Compress><ChangeExtension>false</ChangeExtension><AttachPDF>true</AttachPDF><LookupAddress>true</LookupAddress><AttachOtherFiles>false</AttachOtherFiles><OtherFiles/><Subject/><Body/><ExtensionText>txt</ExtensionText><BCCAddress/><CCAddress/><FromAddress/><ToAddress/><Importance>Normal</Importance><RequestReadReceipt>false</RequestReadReceipt><NoForward>false</NoForward><NoReply>false</NoReply><NoReplyAll>false</NoReplyAll><Action>Save</Action><DeleteAfterSend>false</DeleteAfterSend><Category/><PasswordProtection>false</PasswordProtection><ZipPassword/><SendAsText>true</SendAsText><AddDefaultSignature>true</AddDefaultSignature><RequestDeliveryReceipt>false</RequestDeliveryReceipt><Sensitivity>Normal</Sensitivity><IgnoreMissingFiles>false</IgnoreMissingFiles></EmailOutlookPreset>', '*EMAILOUTLOOKN-Save', '0',datetime('now'),'0','1','133543493357539562')"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 extra-ram.soft112.com udp
US 104.243.35.223:443 extra-ram.soft112.com tcp
US 104.243.35.223:443 extra-ram.soft112.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 223.35.243.104.in-addr.arpa udp
US 8.8.8.8:53 www.soft112.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com tcp
US 209.222.98.21:443 www.soft112.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 8.8.8.8:53 226.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 232.179.250.142.in-addr.arpa udp
GB 142.250.200.10:443 content-autofill.googleapis.com tcp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 www.clarity.ms udp
US 13.107.246.64:443 www.clarity.ms tcp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 216.58.201.97:443 lh3.googleusercontent.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 www.google.co.uk udp
BE 108.177.15.156:443 stats.g.doubleclick.net tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
GB 216.58.204.67:443 www.google.co.uk tcp
BE 108.177.15.156:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 21.98.222.209.in-addr.arpa udp
US 8.8.8.8:53 66.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 156.15.177.108.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
GB 216.58.204.67:443 www.google.co.uk udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 r.clarity.ms udp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 c.clarity.ms udp
IE 68.219.88.97:443 c.clarity.ms tcp
US 8.8.8.8:53 c.bing.com udp
US 204.79.197.200:443 c.bing.com tcp
US 8.8.8.8:53 243.174.119.20.in-addr.arpa udp
US 8.8.8.8:53 97.88.219.68.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
GB 216.58.204.66:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 216.58.212.193:443 tpc.googlesyndication.com tcp
GB 216.58.212.193:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 193.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
GB 216.58.204.66:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 216.239.32.36:443 region1.analytics.google.com udp
US 216.239.32.36:443 region1.analytics.google.com udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 csi.gstatic.com udp
BR 142.251.132.3:443 csi.gstatic.com tcp
BR 142.251.132.3:443 csi.gstatic.com tcp
US 8.8.8.8:53 3.132.251.142.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 www.extra-ram.com udp
NL 37.48.65.144:80 www.extra-ram.com tcp
NL 37.48.65.144:80 www.extra-ram.com tcp
NL 37.48.65.144:80 www.extra-ram.com tcp
US 8.8.8.8:53 ww1.extra-ram.com udp
US 199.59.243.225:80 ww1.extra-ram.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 parking.bodiscdn.com udp
US 104.22.41.120:443 parking.bodiscdn.com tcp
US 8.8.8.8:53 144.65.48.37.in-addr.arpa udp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 us-central1-adzapier-us.cloudfunctions.net udp
US 216.239.36.54:443 us-central1-adzapier-us.cloudfunctions.net tcp
US 8.8.8.8:53 cdn.primeconsent.com udp
US 104.18.12.192:443 cdn.primeconsent.com tcp
US 8.8.8.8:53 www.ads.com udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 120.41.22.104.in-addr.arpa udp
US 8.8.8.8:53 54.36.239.216.in-addr.arpa udp
US 8.8.8.8:53 192.12.18.104.in-addr.arpa udp
US 8.8.8.8:53 205.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 ads.soft112.com udp
US 206.221.176.5:443 ads.soft112.com tcp
US 8.8.8.8:53 api.privacypillar.com udp
US 159.203.145.149:443 api.privacypillar.com tcp
US 8.8.8.8:53 www.adsensecustomsearchads.com udp
GB 172.217.16.238:443 www.adsensecustomsearchads.com tcp
US 8.8.8.8:53 partner.googleadservices.com udp
US 8.8.8.8:53 soft112.com udp
US 206.221.176.5:443 ads.soft112.com tcp
US 206.221.176.5:443 ads.soft112.com tcp
US 8.8.8.8:53 5.176.221.206.in-addr.arpa udp
US 8.8.8.8:53 149.145.203.159.in-addr.arpa udp
GB 142.250.200.10:443 content-autofill.googleapis.com udp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.49.3:443 beacons.gcp.gvt2.com tcp
US 192.178.49.3:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 e2cs24.gcp.gvt2.com udp
US 34.138.204.1:443 e2cs24.gcp.gvt2.com tcp
US 8.8.8.8:53 3.49.178.192.in-addr.arpa udp
US 8.8.8.8:53 1.204.138.34.in-addr.arpa udp
US 8.8.8.8:53 beacons.gvt2.com udp
US 192.178.49.3:443 beacons.gcp.gvt2.com udp
US 192.178.49.163:443 beacons.gvt2.com tcp
GB 216.58.204.67:443 www.google.co.uk udp
US 8.8.8.8:53 163.49.178.192.in-addr.arpa udp
US 206.221.176.5:443 ads.soft112.com tcp
US 206.221.176.5:443 ads.soft112.com tcp
US 8.8.8.8:53 www.novapdf.com udp
US 172.67.138.75:443 www.novapdf.com tcp
US 172.67.138.75:443 www.novapdf.com udp
US 8.8.8.8:53 75.138.67.172.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 216.58.201.110:443 google.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
BE 108.177.15.156:443 stats.g.doubleclick.net udp
US 199.59.243.225:80 ww1.extra-ram.com tcp
US 199.59.243.225:80 ww1.extra-ram.com tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 216.239.36.54:443 us-central1-adzapier-us.cloudfunctions.net udp
US 8.8.8.8:53 r.clarity.ms udp
US 20.119.174.243:443 r.clarity.ms tcp
GB 172.217.16.238:443 www.adsensecustomsearchads.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 download.novapdf.com udp
US 20.119.174.243:443 r.clarity.ms tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 beacons2.gvt2.com udp
US 216.239.36.117:443 beacons2.gvt2.com tcp
US 216.239.36.117:443 beacons2.gvt2.com udp
US 8.8.8.8:53 117.36.239.216.in-addr.arpa udp
US 192.178.49.3:443 beacons.gcp.gvt2.com udp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 www.novapdf.com udp
US 172.67.138.75:443 www.novapdf.com tcp
US 8.8.8.8:53 r.clarity.ms udp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 google.com udp
GB 216.58.201.110:443 google.com udp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 172.67.138.75:443 www.novapdf.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 r.clarity.ms udp
US 20.119.174.243:443 r.clarity.ms tcp
US 192.178.49.3:443 beacons.gcp.gvt2.com udp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 r.clarity.ms udp
US 20.119.174.243:443 r.clarity.ms tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 192.178.49.3:443 beacons.gcp.gvt2.com udp
US 20.119.174.243:443 r.clarity.ms tcp
US 20.119.174.243:443 r.clarity.ms tcp

Files

\??\pipe\crashpad_4860_BBTWVHBBOCIBFDQY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7864911fc71740469ba22c8e2cdb2e78
SHA1 a63495d50a847055e49b57cac8c026d1950a02f0
SHA256 d6a5f09724fc7262691a17b1bf4580b8a47efde8cbfed9a83cd95d19c92d23fd
SHA512 8ab9aa617acab1aa439e9bf57e4c74657a79a4401dcfb8c633e51a23a7e007c008bf78d0acbaff1d38c2243f6c02a7176d6f36681f8e7954115169b775f9eff0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6c489389c8bfff4d52b60b160f49a729
SHA1 e7f0082579583a4b9621b95f176a5934c9e46ae5
SHA256 18cb1574c934af400205d5d90c2c10ed7fc355806fa35738b7e25d0350c2d426
SHA512 2a6060a3d3a47868c9c905341d891d99cf966cae0ac9e4c4ec7d635196a344e59f32a3971bf139d658c66a890e3a172cc5bf9e33ab42ead415208adfd6f4facc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 878429cff95cb07d20001da8acb8d6d2
SHA1 e0a386bcf39274c94b50864902a6aa18b33601f5
SHA256 85c5a22acd48c78230ec013b2259893bbd3468e7638b000ab4e3a230c7cf4388
SHA512 94b5fadd35d71b1c8b5f6e7eae513e11850816a2f8c56b1057d7c779e03739aa460ccc68f910d649f829f7fcffcd1f186b00e475ded070ab46091dcd434d20ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

MD5 086122a4bfb7a51510e3f0f0358446c2
SHA1 409d7940193c0a6201fb28376f9ca1ec4e09d979
SHA256 3c982a4b7283f4a728760190c40feaef16cceafab2f04f372c7848ff1b65c270
SHA512 1db1eb3cc8fa2fea162297b95d6f9d5fff99d2ddecb2e5a70eee014585f6c51550816dff2b295aa268e7040c5414c89c6c7d45f0c924a612dd98ff4e7974c309

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

MD5 79da890b16155133aebd559bd329ab09
SHA1 03c31d430e0557199491f81fe809fa2a1f5dd4a3
SHA256 6db28bb1adbbfb8023b68c4f6ad5cb68ca7dbaf710087a00cc5502fe735f5295
SHA512 d868d661e9f48444e750b5856fa7818faa021a1cb0fd4408961e4ec9f4bb9be08a95eb15360926aaf6e1c4beabc3c2b9a2c9398538089a062d7a0432521694a1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

MD5 daa01cc5a9b8b3a7730d8c940015554c
SHA1 6d3091870737fffb408000a4664c8a6f088b5cf7
SHA256 60dfc7c4f1adc5282ff9d3a0bd9445b59874ce5e123226d3d6f5339d1b998a6d
SHA512 7de57bc1ef544432cd0cf5e27b87fd19af248d2adde11b9b0b7f1cd5e762fe8ab08954344027b7fe32a62c142ba8411e3db42df87ed47a009437aaa511d6246e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

MD5 015c126a3520c9a8f6a27979d0266e96
SHA1 2acf956561d44434a6d84204670cf849d3215d5f
SHA256 3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa
SHA512 02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

MD5 66b2820a0633ecf70ecb35f0df26085f
SHA1 51def1f3e3fd4f1ecb1bb7adbce5a18cb3f681e6
SHA256 e061590fa57214a84604623bbc2b683406fec4839287463c6848de78232aa859
SHA512 c18a9a58af4c3de6e21071f0ba33d5ee7d0d25587c7cfc916d0d54c1ab53c1c73f4d9eeba981fea2f2fb759c8eb5dfce68ff9a3439c2a0d4bdce0af84cf3ba61

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 71d5addb653904512b4464c10a8b18ea
SHA1 fd2932283265078b18881380d4faa5ebeec0a684
SHA256 9ad695de944a2acad33749270e682e0ff255568f175081e95fb4ff29720a3ada
SHA512 558fe597b45dc61d1defad647f7a1890c233645398f33d477cb5cf1d013c8fb46091c00541ca91f144664e915670ffd098bdc5cda9fcdd18c01ec0818910ba1f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 15a5bd7bee8eecff47592e7de2499d74
SHA1 0c99c8da737ce1ceb136bf62b1191841df715392
SHA256 dc4aef66aeb2bcb339f85540396267e85dbea4ed49d4aa91926b40b21dc6886a
SHA512 6c406db48d45c00f49c7a371a332a62446c26a7b0624c5ba92d6e3d990b3b3b5e3a175b71435be6c992739cb17e8e915386adbbee67d5a21c38a7664d1367bb4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

MD5 47fdf1bb95948fd41b80cd64238b8b6d
SHA1 f2593f86fd3a34a946b6fe02bab3634d09dea134
SHA256 dc64e5b6a9108677f495c20ea8e0ccd18c26d7c116db8b412a5ef9c8aefc9200
SHA512 7d5ba16b7908e4be488f7310322409f96f164ed2973a8d314e68925b79456776ff5527ba9f0b511e90987f0186880a816f5747a16fe4c659c4f0993b8c3cdf5a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

MD5 87e8230a9ca3f0c5ccfa56f70276e2f2
SHA1 eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256 e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA512 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

MD5 442daed8f57c9c35bbf64b9628ab7805
SHA1 4af3266116dad0b89333da389b150991b5352d32
SHA256 231164c1b36c368fd82d91c2dfd9ad6f79662e74b233a98c5ac82f62b53359e7
SHA512 d2d286d41a653caf3580684d1e420d362b0c809239fe1e5f01faf515a681c5c6bb155ed7d9c915e01c9e242c889414e6bc8b98a2bf284133725e66f55da036de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

MD5 f5b4137b040ec6bd884feee514f7c176
SHA1 7897677377a9ced759be35a66fdee34b391ab0ff
SHA256 845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6
SHA512 813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 45ef9bb8dea6f2a8c752e72f803bc4bf
SHA1 0d389ac0722e7d1ffd0bb70bfa5fdc8694a5b3a9
SHA256 b99d53d0d0163de1e453645fee6a370c3de3831f975f887dd2aacc2c32fd1c96
SHA512 965f34ff95f04a1bc089110c215a377cf6fda0117788acb90a6098d8c0ef3f607f3154baa9007a55707b7457a83e08b3ca6eb42e191dfee32bbd041d392d28e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c51f630232c3a755b4559981f669377c
SHA1 b8c9f9bbe9f37d8a7f0a9997d0eafb4038dc7a1e
SHA256 a2666dfe125506112d9116d0a3134cd328d85e944e5f7da9e25973f7fbe8c814
SHA512 aa14e9c4a6f954db60baec6cacc43174313df655a820500a185ffaaf00a5993c4357e09ec4d6b886db1148868a8428f47bf2a2f7838ce69d5f135b3b8e61edd1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\0bc6684d-9de7-4bb3-9bf2-8cc208280ab4.tmp

MD5 0aa8622efd33365b9efcfed033e8804c
SHA1 746edbce9544edaf9ed61c2831babd27df0a1b86
SHA256 660595b313aec75cf3393a2b14b4c852f49ba76cf3ee82371b357a648bf95359
SHA512 5653124ce3e0bac2ad4fd6de354618aec8b8da6b3456189907cfac8b9a7fadb1dc8fd3d8f55fd2d0f96ebce920fe83521c78e3771dda23b6c5ededb00954137f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 03e2895ef12ed43198179f1893f42d5e
SHA1 39b7f03e516fcef30cb91390a5cf123f4a2e6632
SHA256 115f185d92f1719236236c93608d944d4439019031cbeba861afa97adb4ba6dd
SHA512 53b5bb314fd0e221d79038cc6a60dba8051c29e5dc2390f9a493a015e033a088ab10e8e60f0a41decba86f927bdf3b2dc7f7ceecb9ef27f7c5a27a8a0d38bbf1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d7eaeb0428ba3065e34e7c6b0f8ce071
SHA1 4b4876835cb39d55a6d13ac61e3ffc26460a0e44
SHA256 61ea5a48512f399738ca9e86c484b8876a35becbf05a3b893b8fbae93d52e304
SHA512 452a204c9d833e1fa7750edb79f8d4ab1191c0340aca524c0906db37a4629c74d3b6f5f371d3d37d61196bbc344a2c31105eb6555757968c7ea7624885725ae4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c1f700bd1911363e50466f8da0f139eb
SHA1 6824adbee67ea725b1d73a24c7b4bdda68b54a7d
SHA256 61ffe3c48ad93c8ce30a9c5089918fbc55057f3386757b5b05738961319afbaa
SHA512 6fc5fbb5c08dc8174a448d04654df8e829d1a2d893be11d262a6111c67c3087b7963d303546b518a33988a5d20e985b46ec27f6cd9b72a441f6b0636ed3f9cf3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

MD5 b82ca47ee5d42100e589bdd94e57936e
SHA1 0dad0cd7d0472248b9b409b02122d13bab513b4c
SHA256 d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d
SHA512 58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 abcf231704dca4d05b6a380edc405c17
SHA1 d8d568a1f14b16d033113295f8459d293049aa59
SHA256 a5c8f83f55a14ab0cf2bb1dfacbcf4d8e5ee7091ae47ba9ac7e288cd94842d1a
SHA512 bb93a33dc091d6fb4624a31925a30a2cde21da1eec227a03a973170b66ef56ecffe468e4199fe28920235eaf6485c0acd23d2e8d56936db8cd192411fc3cf151

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a6111022430b4bc1952e8ad6b8804c0a
SHA1 fd551e49eba03b7c5ccba2cab62014ff27865472
SHA256 b7cb01c5fbdf38e7677880234f3ec6de8d3dfe0839342960ef9b71dbc4bbac5d
SHA512 e5e19439bf030d8b4d1cd2051b65362e2f72bc12797bd276ef86f6a5aea04998212f4b3a677bddace4fac0c7b7842756a3bc24428a41de48630d467c256bd342

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a79f8b3a093f4c70d1f3f742a8d5537e
SHA1 ab20f92f568a83eaf45606d2033e189fe0c7aab2
SHA256 7bf8c7e829986788ef7a571c168d0d93c9c014c898d9fdb3e1c79869e7e15ab1
SHA512 e66d750246b121b95eb57eeca531113af0bef8560b8c7db7ff92e13454e032ff357f3dccd5d07feb774f6ba16e1f8ca8f3cbc0472b1bfeecd5e6ee265d13a34f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 215e5e44bfb53c096b88663110ac21c0
SHA1 c25daff88d7938d365e35ba3c586973b6b21db9d
SHA256 9ff7aa428320bde11827f8a45b8d9e0afbf9e84fdf3a672654de16565a378798
SHA512 4b6f61c803b42988a0c33b4f148d12c05d0292b2e210d407552eee7f4f0fbc94d2fad08499f92cb1dde84e5307bb848eaee9f952d006e432e655245b1556a5e0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 229d521ee36a3b3427eca325fd519025
SHA1 c501aaf4be89d80cc42935fd306b0ec0015bc726
SHA256 11587562c57a5745d63726a7c7d7b49a927c46bc38ebfa3936c1f9b88b8dabec
SHA512 66854d2bb84a42852e5886ba3e1e11bc549556e34763c8dbe4a4412d56eca1734b080191c527d90daf797aad74d4360c7d094c7baac60e61e2eac166143339b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 4e9c703a8575454c6430246ba1f164d0
SHA1 a4028e3ab03b3531c8e54fb96922b406a7945ac8
SHA256 d41802fa467ed1d7046588c83167f7bdeb69465192c7277bbee6f25db7a9311b
SHA512 d018b2a87a849509d1dc9de7161f828bbe52d5614df7dd6e51725eaa0ad114e9767b9951abb312fe9c04b104a5edfc08ef092c4bef79e01cde43a8fe4dbc7097

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe590110.TMP

MD5 0f79b2f257d46a20b01354bb3be19dea
SHA1 400db194973cef422bb0498a7672e50ce1816a37
SHA256 f180fc630d0a3b6d044bf495504462f6e53776ad5c1d0d6d12cb4fdcad82d80a
SHA512 58790c37a17938b13050bf553a68924bcf4e1ab0b06d8fc61dacbd351dbe70053aaec29464263fe24dc9c6151768df2a9647ab27130a994b1592e9575ce4cac2

C:\Users\Admin\Downloads\novapdf-full.exe

MD5 b41f866d035ef3c5e58d5722989ed64b
SHA1 1c89d578a265bb2c0bcd6722d69c6fd20da498f7
SHA256 1c8f32940a5a6108e19516a055fecf3a683718580c24f2f9172310c40521f9f5
SHA512 776b786ffde2c6614aa674f192f22e1e9a3deb13b1640df1f857a69f5e9d88a41cb832b21d6d9a272d0ddee88dabaef9e6d3767f5e269065cc0ff544e032409a

C:\Users\Admin\Downloads\novapdf-full.exe

MD5 16ab7d2653f8427681f4da3c3d65a276
SHA1 6b823834d80d3b7f02198dea7dc74a8b962d6440
SHA256 e618b86877a38dc23612e490dd29352bdd68ea716caefc8a6cebfdec53cdced2
SHA512 055414936c3f02de16f9c3a7ee2253d78d0dfc903368893d666abe4f3dcea94daf889853fc739e859d56252f5534a27f0be729db57b0d8071cce13374adfa4f1

C:\Users\Admin\Downloads\novapdf-full.exe

MD5 c2fd603f18250aa0d0daf793fcc2fe37
SHA1 0a82f0e5b567092cf6db71e930812cb9ce5f8f13
SHA256 79e901f1b97097d70e8cdae46714cdf178fc8c1d719ba486e7ab1538751adfcd
SHA512 3bdf981df5e3a86f23b4ca56b627739c3b34cf5627934c0b8eb4fb2b07f82c3eadd625a781319d3949011035234911dbdedc0a25a3519339cdfc2f4440ad0d62

C:\Windows\Temp\{45DE6611-DFD3-47FB-A6EA-6C8176793ABC}\.cr\novapdf-full.exe

MD5 bd289b2dafe47ec65d5f2de8ebf86fc0
SHA1 f8f6b8b6dbc28789d05dfbaf160e6425188fec0f
SHA256 1a480178cc81daaa1b1e5e1133b39e285375745b189be09be94a38ba2d8555c8
SHA512 96632425f2add08448ad15c57190797eec7e67ffe72d0a43f6653f4caa2b3fe24cf7a6be11e440bf87423874bf73b0c0ff322b6f8ac6a878448efd644ddfd2fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e4dac570470a09a51632e54d4447c582
SHA1 b4ecdd15928066e3f3621cca716d8dce09fb2116
SHA256 726b3b6972bc96aa7139d7a8ebac5086c932e2c62a4f6a01c2c06e72c772d532
SHA512 b7fa9d5046ce86e1b8d4f63f9851e8ea647a4ccb4a7e5ef9315db97aafadea4355de4638a47e6955ef00f2e5c73b1322fa4b743734f435c529a57f93b172c33f

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.ba\mbahost.dll

MD5 c59832217903ce88793a6c40888e3cae
SHA1 6d9facabf41dcf53281897764d467696780623b8
SHA256 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db
SHA512 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 c474229c7717302a9f7bca607aacfdfd
SHA1 996d2a3ca0f5dd3f880d56f40489fba7c182a9a1
SHA256 fa7465f6da22c7f651629b0047a853589709693cdd3c82e208df812022bba3f4
SHA512 9508a6043eb21edf0d44fd5018469ad1d046bf51a1a38d347ef86c4d5f1eecdce33468c17002ca81487ed0384652aa4dd4c9dfb5287397a1d12c39c278ae17be

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

memory/912-709-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/912-710-0x0000000006300000-0x0000000006310000-memory.dmp

memory/912-708-0x0000000006240000-0x0000000006258000-memory.dmp

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.ba\BootstrapperCore.config

MD5 18063277f9fe3308d5dafe891db9492a
SHA1 d34edca06b0af8f36bc7c3acf6a1af01ce364b08
SHA256 23b540a71e5aa48845af1503efe110acd4e9ce6b6280f5552750e1d3cc866719
SHA512 fd2d7cae9e7daa9e869fc4cd0788274a84441a5e0c4db2df21d0e24c9d70c316a3ec6605bc1bee5ad9aef810800929547a840b88485bd00e732711be4292b086

memory/912-717-0x0000000006780000-0x00000000067A8000-memory.dmp

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\.ba\SetupBootstrapper.dll

MD5 e2d4e5b67b88a371ccfc2f6e2727c58b
SHA1 e15d2f1ef9b7e4d4877a2cf53af2298fd2a83429
SHA256 537a55bd8ab81470e5eb06de96e8daaaa5ee697a6dedde2b98ec35f55943ac5d
SHA512 dd2191d491b769b27f2c4efde4c1fe77e8d8de937174410b4ff0d9015cc263e87806bd8f753b98f4b49e36677f62084e359ed990e48b86c88887bf2dcb5792ef

memory/912-718-0x0000000006960000-0x00000000069C6000-memory.dmp

memory/912-719-0x0000000006F80000-0x0000000007524000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c40b226edc1f2e7b5a03d75840e12981
SHA1 9ceae0932e052730bfb30ce30d38e0626f134965
SHA256 e93272b1c49df2278c06439ead5c44544a384efb9babf9bc57e84333f963d951
SHA512 c0912ce9e512680ff4847734a6b1c757ab9dfb983df9b864f30bd0e8d7f09ef24c3d78b7f40d09a1d786d712325e6321265e529518e33f6cfb4854e58b077975

memory/912-741-0x000000007FA20000-0x000000007FA30000-memory.dmp

memory/912-744-0x0000000006300000-0x0000000006310000-memory.dmp

memory/912-745-0x0000000007E80000-0x0000000008006000-memory.dmp

memory/912-747-0x0000000007DA0000-0x0000000007E32000-memory.dmp

memory/912-748-0x0000000007D40000-0x0000000007D48000-memory.dmp

memory/912-749-0x0000000007E40000-0x0000000007E78000-memory.dmp

memory/912-750-0x0000000007D60000-0x0000000007D6E000-memory.dmp

memory/912-751-0x0000000006300000-0x0000000006310000-memory.dmp

memory/912-763-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/912-764-0x0000000006300000-0x0000000006310000-memory.dmp

memory/912-765-0x0000000006300000-0x0000000006310000-memory.dmp

memory/912-766-0x000000007FA20000-0x000000007FA30000-memory.dmp

memory/912-767-0x0000000006300000-0x0000000006310000-memory.dmp

memory/912-768-0x0000000006300000-0x0000000006310000-memory.dmp

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\WindowsDriverRestrictions

MD5 7d24abc0c91542ff27e02fdc24fb03cd
SHA1 97f3528dd8485765408bc5ac723f1e1a6c03331a
SHA256 75723766a2528791763222ef3c8b0e21e1d0424d99457d628a1522adcb49d43c
SHA512 ae6bbbeafb080152ed2be04e00527d585360c75a188db83f2517571b9fc130f861a00edc1ee27e2855ab02e79ab7ed1fa99277255a73bb0dda24b2123151f5e6

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\pay6536CE0A3580BD096BECB3AB2016762D

MD5 50a7426fb2bcf496732952c8bb99a736
SHA1 9d1b12850a93c2b7630ba96ce94c8eaa631c083c
SHA256 565a8593eecbd17d3c0bf5c7320096f963ef3b31379fee9c729dd2cbbbf399f4
SHA512 6b6b5ab912b4c37cf951ef53668c66f715a75c86ea48ad6f09d6966a39aae1aaf9f57a0ddc7babd4e1663cfbac511d49776970f332f747d5f1df84d357712b47

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\pay851EBEC0CAC25AE360C6F232A9F5FD52

MD5 bc4663843d59081b41772d1bcfefe730
SHA1 2c94ea21417c9fa41c8bf58cf9dfffdaf69c61e8
SHA256 4c35f85d0ae2af8b72c407787723aa11d6dbc57b739ac77ba6c74ad93cf831ba
SHA512 6a1ea1e4b64434e6a7ac04c00abab24f30bca1cd5fb95ae91019ddd00cb22bb566df9e45e175d5b9f998f2793d23810acc02b965a17735a713f07d2b7f555958

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\OfficeAddInPackage6411.9.444

MD5 3f2ef18feb9fd14b7bfb7cfcd30b2f90
SHA1 f4fc272d6b7cbb1c347bfcd82baa6563c48742c4
SHA256 9384033ec5b9508c0fdd1128fae9f0a35b01df9e5e3e93a0aded4cf1b9e9eefa
SHA512 193df637c74b39dac34c51effe06063ddd04d91e52c18b63e1ab8b67e7308b890f854507f47413614cecf859dc219d01762ffbeba5c74b80dbfe5c450b26db36

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\payD0195AB860B82F6F6A65AD7F0B4B9585

MD5 b3065e8fed2f7f8fe9cd177e532de2c0
SHA1 881a72b35c494a32b5dbd270542cac6244f5b719
SHA256 c098f3e9c20ab8a35f1046ef96dba6d7f47190423a88b9e3bfa8fef5f4569775
SHA512 5c809d0ba49ac95fc6b48010c31f94ed9bab1cfe817d87dfe643d5caefcb54fa0e5fb8943185bf64c0fa1f46160e8df42a33f24271a88cd7a31f027d4536ef4a

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\OfficeAddInPackage8611.9.444

MD5 d3577845b1e7a91921de3fadfd3368ff
SHA1 5f7eb89e888af762d4e7130bbef403b13af81150
SHA256 71627f411e09bc107723cfdc1a0540397d67b5d318295a2adce8a1ef02a4d939
SHA512 244550686b15a6e4986ffe9edb751a4e5718c48633285c5ab3e429acb3b280ce3709c81394df2246e1ac21f6cd8dc7dd535c5a551c10a77bbc0edc6c8f7234dd

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\NovaPDFTools11.9.444

MD5 54e788726d98ba2eb3f2b74faea9e6b1
SHA1 3f609b5a6f39c9713fdb742edf0077c136b6b416
SHA256 8be909768121ed3d4e32f1c2f5bcdae9745fc700fd14fa214a99d3a384d47f93
SHA512 a17a7539bf43dc0b37f551d0610b00cb7cfea264ebf35affad384d001c68f61c5b549630b45f7b55022f658c59137709d578df43f109806e7066ad0a78f272e6

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\COMx8611.9.444

MD5 9421b41cdcf9f3bee7f78d530bb5ce78
SHA1 5b20863851eaccbb11153bdea179b0119283b172
SHA256 1a1f6bc8af98095eac3d1a6cc5f601024aab9e1ab11141a60876d23ff13ca2db
SHA512 bb6e7deecbdab1057fb339f08922a4c02fdf5f1fe6c16f31b353ec950b9fc1ef995d71b09c56cabe2d7899418f3c0891de110666e130deaa9e646e8defdd2032

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\COMx6411.9.444

MD5 63f742c0b4be3a7680ba2f329c395b59
SHA1 689e63d00e2bf94e89787bc08ab4a6f94dc860d1
SHA256 c0507ae562c06e2ff69d36ca7fcadb804d9910cb51c634208ec15ecdbdeb395f
SHA512 42891e645232dac33f4afed866db3efc380721eff2077f6cc76b3d50be8925f0ab4636f0a3e0570e41ed7e88de7f0df5cfb3600ed2ed65d6954e1fb71f14334b

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\DriverPackagex64.11.9.444

MD5 6f95337d798b7243fedd82d82295e8f9
SHA1 ee9f084369044e607594cc4e3c0c93476aebe5f4
SHA256 13de36591c324294fe0be5f5005c09d0f4884e0e425ee926862f47b5efeb9202
SHA512 6edd82b543a9d00fd575dcc656a112c4174c6cfab21441eeb1ec2ca93b38ba7dbd1098eab6cc73872affe3981ff75be8d41a8d337db3d20c503347d7e560c6ad

C:\Windows\Temp\{085214DA-9996-49BB-8334-2B0C895C7D3A}\OemPackagex64.11.9.444

MD5 6c5de3eff86d14f9729f3ac21b1994ef
SHA1 224d0ad0746062fb18b6cb538123ad2b739f3de8
SHA256 4c2a648ce2094a8d1b0a65fe8eefd68f2d993682479880ac3bff12c46ac150d6
SHA512 04d7b6d11fa645087680b350bd8fe2728c7ed07c52505e0a9ecb69b258d8d69f10883ed26b1466cf959b8233a39b685764b4b72f6d2666f4346c20c6c498acb0

memory/6140-796-0x0000000000320000-0x000000000032E000-memory.dmp

memory/6140-797-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/6140-798-0x0000000004C20000-0x0000000004C30000-memory.dmp

C:\ProgramData\Package Cache\WindowsDriverRestrictionsPackageId11.9.444\AgileDotNetRT.dll

MD5 35c1905fb5581259f8453221f2ae5911
SHA1 3fcc48803fd5e9c9dfd124e187ec648f90ae8546
SHA256 ced1e546436911f7a0b98a8a7a0c206cac69600b7ce84cfdae3bc35c8c19843e
SHA512 e1638b8a4fcadc4c1cdd2940f3d055b50fe7ec1206dfb0cce96d20f5d48b2153f9d84901bed8c3f2955046a7329ba4dacf53899a20ba2408ed29ed129a759454

memory/6140-800-0x000000006A680000-0x000000006AC5E000-memory.dmp

memory/6140-801-0x000000006A680000-0x000000006AC5E000-memory.dmp

memory/6140-802-0x000000006A680000-0x000000006AC5E000-memory.dmp

memory/6140-804-0x000000006A680000-0x000000006AC5E000-memory.dmp

memory/6140-805-0x00000000733D0000-0x0000000073B80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052557_001_OfficeAddInPackage6411.9.444.log

MD5 30471a6c68bcbfd83d94145b02dccb3e
SHA1 52d30da1f7758542d80a3ed7438e233fc31b7cb4
SHA256 b64f97e859c026068d2e965240fdde4548424e9a8192be443f2f630b61061e3c
SHA512 146f5d954194708febc431cba8e8954aeb8ba65997ac79b187ae17ec28971d7a66985dcf23eeac1a11e4df1eea1839ce503d34d4a2f352a2956e2f53b24a94e8

C:\Windows\Installer\MSI5749.tmp

MD5 f66bad66825d635e7a4bc86153a54331
SHA1 8a85921f7f530aca76afcc5e0c32e159122b6be3
SHA256 4cb2212e5c9d1cd81b7e8d7f81f7f75c73f8bd9088c473d33e6d76210ed43b6b
SHA512 10b1bec0f6f5eb4a5b7e899b0592f11a44a89f5edba430ef213a188623abc19e99112a33e811eead6b7f4c9b771ea8f78cdb315d156ea063019081cd4a7792b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 dd82f8c1b1291d88a0f2d2da87b0c904
SHA1 e61f3df9c25198c1611b5634c66c04324382f6d3
SHA256 b94bd1c0febb69621556b98608808772d0913a949f1718c333691a5409903f2e
SHA512 5e36bfa9dfb5f049d0bc8973d4b2dca24ef492def17dd45f27548f6a002028d1c5271ce704b99719a4fefd8572f10cd78c507bf892fa5dba1959724c2847e28c

C:\Program Files\Softland\Office Add-In 11\NovaPDFOfficeAddIn64.dll

MD5 8d2949b2a7982a1badba934c88b0628d
SHA1 0b5ab4a450b2bfb07184f7b78d3c2ee980b75606
SHA256 0407e067d7c87ae1b3a1bf30c7d649e570630f82f3cbbf7155b94cfc8270c7bb
SHA512 0abe12244ff017304766326ef8bd96f830d3cab414922e4e944dafe27fa3dc78335394ec3d77a0f0480c26eb40f841e4b63ba250c318eca8afa668547b198d29

C:\Windows\Installer\e5a52a5.msi

MD5 5d919a9e9e737674c1f2c78a1f048670
SHA1 a319c6ac345317e7c35bcef50ccc7d63843b3e4f
SHA256 9115c453eedab8ce0817170d92a6b786415888f1e3abf27a5c6d4db2e7d6c132
SHA512 556557b9cb67204161e671131c21081aff27f85d48ffc521bd1de8f039729efe2dc75fbc6efe517518751678d5b84f78f4347552229d0160254fc5efb3baab9b

C:\Config.Msi\e5a52a8.rbs

MD5 82f5f6def657b7b23fe361bc655ecc56
SHA1 d53c59fb3e5bc04f42bf5609de30b5ddc5072754
SHA256 6ed5aa6e369462dfc918aedab2962566b39b39f75baf1e63fc762c8cfe54a09e
SHA512 a608cbcb0edf34a779878eeb458bebb5c3c7c7cdbfec30f57c6cd1c87b9648cbbe22f92395eebe9f2eac12bf435981f6a3ace372701ae7b3164719d483f47123

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052557_002_OfficeAddInPackage8611.9.444.log

MD5 4aaa7eb63c91bbdde6772f1e8acc4ce7
SHA1 29e592b1f47ce5889e137a74b7f26523d15be076
SHA256 aea2dbee005dcc51d06812a0f1cfbcab97a6062e3d729b9ab013d1432fa42840
SHA512 5df91a3682dfc9c2421e1b5be12a4d9750e6eb97275dda2dcef1c48f5ac78ab20ab70539eb5f51ac306f0c49db8a56ace81e34302428c1ae268e7f7ef29859d7

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052712_CustomActions.log

MD5 ac7b759e20edc5e306ea75cd4f154762
SHA1 2525e791866cc829995658b04151acc632353547
SHA256 8afc4187228b1a60b5915ba7d6228eee99a6295a372a234a6c563a9e3c321d97
SHA512 2facecaea7be19247b782734a2e3fd7285f9472dc2f0a08e859a050909cb6b6203e6ac6ff0eeb4d0d1022759383d411db7f4c30b36766b3e505e65ff1ec207f5

C:\Windows\Installer\MSI6361.tmp

MD5 79c1bbdc06d3fa494416e2cda2deb907
SHA1 a18f083c5745c0805893f90873b63f0ee1123774
SHA256 632500353e0f1631b314a0f7bd2ef9b8885253be46b522a480efe3eeb437cf98
SHA512 4d93720d165db0f84789c1ce3169bcd560ceb2a0fad46c45360ad234cd78a1ba246ebde07c1b6b34e4cf618e5deb1684c38e37ea09e9b5565886982a1a9c66fd

C:\Program Files (x86)\Softland\Office Add-In 11\NovaPDFOfficeAddIn86.dll

MD5 a9500f3fbaa18e82c86ea925197c7cd7
SHA1 908bda228d47ece39b5c385aad46ee3a5cbe6bcb
SHA256 78a579daa3b36b92518fe029312ea2b5a6780210c10278d705a815e85283a24b
SHA512 a48fb46e32aaa9103a400b89d0b235062988d5c16c7f87a8f541f19d7383a34b04d1d4d16c2a1da4feda42c2fe9591b6f5e17964d6f4bddf273bf4882c23edf3

C:\Config.Msi\e5a52ad.rbs

MD5 79f93bbf6d87c0637bc5a48ea3ddbaee
SHA1 b75ba2715b520addcb5e85437eb1f57c13a2e98f
SHA256 ed126ff9eb4b740d5247769fbaed520b869b3a8106580579604362ee93d0a4dc
SHA512 e7ba28236d3a2007402a3b5cf08bd88148ebcd633b836dc131d2fce1f47b42407be1c39334c189b3e4ad84fb3b9b0f57ea4fdeff525788a3268511447ff9fb8f

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052557_003_NovaPDFTools11.9.444.log

MD5 ad8d04050bcfba0b5b2f626f73a03633
SHA1 b233cfc38f614b0c1483ec2bf5faa2c3b5c2fbe6
SHA256 c63be4a2ac80fc77be5e299b116993f01e35f931d355e54325ed0cb228d80499
SHA512 34d2dd07787a49c28bef2f3c19404c9859cb3081c2404f3aae956a46bbce16920a026b8d8cd44b3929a2740c2328adce4418e90273835b2a4406491024843575

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052714_CustomActions.log

MD5 c674fbed0e749fa68eb93470854d4f50
SHA1 a624fd1df2acade9f61c1b69ebece425cbdd34c8
SHA256 cd0f7631701fa6bb38ca5ac92a4c13dfb380f232388f7e802c707c9191e110e8
SHA512 5a90679843e0bd977950f2bae31b2bd5c8711961706d42c659cc016bb77030e517968dc674785e83e874b2aebd5c4087631b8f243c82bd5f9850ac853238ae29

C:\Windows\Installer\e5a52b3.msi

MD5 949dd641a4db3a689f4be8a1c007cca3
SHA1 ceef28838a2e107dd073da999b0528827d432621
SHA256 cfa78837071f85ecc739bab6c8e145ee30d56b294de58d101b0531b16a57c09b
SHA512 59fa75676559432b48cf10b4077f2a13d5b6e35bbb2f910a3f1638f296ade4883807c1450c794cca53f306867e0092cc08b963eb5550c6f54b604ee941ec322d

C:\Config.Msi\e5a52b2.rbs

MD5 111891c2e09f00ce3f76530c5eda7717
SHA1 6360c04aa69bda5365f24741ac04384b32b3c1db
SHA256 712d10f54aca13af5c3f0e8122bdc274a3be3778faed7bcd4dc7e63fc89139b0
SHA512 aeacab1ddd436f73f92c18171130b968e039a4e9009868d186beb3173876864ce62731631b9614ea289ceaa5cd23a310c8be2ad08cabf3acffcc981aa6ca13a9

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052719_CustomActions.log

MD5 307922bb21f7d6e7aa54115f2fe94a81
SHA1 7c6a7ec4610e88b15e9dd39b050000a85743182f
SHA256 f49c767d3ddade911dd036af2f3025e401216735baf13c532a0df2870cf27a0e
SHA512 9865a66f3d10cd85243c261518eb269cf5b18cdd827c1cdd83eabd01dc002ce31f5070a3fe7229b09324f4d820859b438f6de433535741b319dca0e200dc3cdd

C:\Config.Msi\e5a52b7.rbs

MD5 3f9f819a4d8a7e3097b6f162265da5d1
SHA1 f224311fb21e0c9a955ae3a89caedf0c8746e372
SHA256 233a56a24d275e78f7234aabb2e65a2637aaf8fb2618e12b604b6d6f7d39d131
SHA512 8a1ce0efa535104c018b18686ff4579bcaa0918cd028c6b3840629684e6aa91bf5ee74ffd024f0fa91741af0010dc3d1251bcdb7569eadae5c3aa11ae00b1033

C:\Config.Msi\e5a52bc.rbs

MD5 92394feb7af5bcd225d6859777bbbdba
SHA1 0058a8241179b83b16d74c43eb0c0deb0704d0d5
SHA256 8523ad3a8c2361d4e2e3239a4c3ef85661dc90910ea45d1265887c60d817ec03
SHA512 dfb94e278ef2a71551dd81180ec0b2451403f3f9619b4660bf8615fb829937101763a3e32aa04bb7bb47c1a84bcb4f21d6033fbc609e2d40b3053e8195329503

memory/5788-1294-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/5788-1293-0x0000000005230000-0x000000000525E000-memory.dmp

memory/5788-1295-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/5788-1298-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/5788-1297-0x0000000005270000-0x000000000527E000-memory.dmp

memory/5788-1299-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/5788-1300-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/5788-1309-0x00000000733D0000-0x0000000073B80000-memory.dmp

C:\Windows\Installer\MSIAB8E.tmp-\CustomAction.config

MD5 8c22d283225f3bdb8e36522c359796f9
SHA1 cec5168b62bc7d39930e0843a0a285c3d89ed23e
SHA256 5d6fd5049f33ac6b16ec0431787fa61c66630ba1916bb4c70f3f6b5844b74ecb
SHA512 826550987a6140b870894c02c20f1c890e187c5919fc60f5fe3fe962fc87bfcc3879ee1de6141d679aa85f6cf52f8be88a9b23a8d43b8561b6b70baf138ada3e

memory/4884-1320-0x00000000733D0000-0x0000000073B80000-memory.dmp

C:\Windows\Installer\MSIAB8E.tmp-\ScheduledTasks.dll

MD5 dd5f7ed946b30cac2d7755da3634a04b
SHA1 b976bcc060e91d061b8f918beff2938685bea187
SHA256 500c1329753dc83864c963cbe1ef4539cc97c8e0d8aaf4a2f3830b31c320c983
SHA512 dfc858bfc337bb8034fd46bda4b019b6e061f0a9755caa1df838202b28e7401df015d18795ee7cce004f2361928a46d7754a970cc8f06d590854309b284b3d78

C:\Windows\Installer\MSIAB8E.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 1a5caea6734fdd07caa514c3f3fb75da
SHA1 f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256 cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512 a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

memory/4884-1321-0x00000000026C0000-0x00000000026D0000-memory.dmp

memory/4884-1322-0x00000000026C0000-0x00000000026D0000-memory.dmp

memory/4884-1323-0x00000000026C0000-0x00000000026D0000-memory.dmp

memory/4884-1330-0x00000000733D0000-0x0000000073B80000-memory.dmp

C:\Program Files\Softland\novaPDF 11\Server\AgileDotNetRT64.dll

MD5 d42e32b0adf0baf6536920dafd8b13bc
SHA1 2241261f7b30f6de155632a1af16e95781c5b705
SHA256 42a95d297d6526ad2e21125631f59da5bd1424686a081edca3665ab197820ddb
SHA512 bb0f4c260abeb2d015b4f138ca16a186e9fc4bbd0a441796abe6e7cea2bb00485d8e48fe43d2c883d551a2cb290ce792df6e73b6380e5cdeb7344abba503acb2

C:\Program Files\Softland\novaPDF 11\Driver\BouncyCastle.dll

MD5 dc85435365bca32b99fc4e681c8c09f1
SHA1 61e77d3437f53b09117042e5e7f96b9a7d54ba22
SHA256 61060f1cba20f37f2ad50d71f2fd8db0d382a77aa2014e88b9a41cbde478f0d5
SHA512 de816f2b72d43efe50f1e8eb6cfac8d8fc80ccb6aadc8e80a75efcf57d288626f8df5e8bbe338332ed7cd2ffa8b808d1677f61b692e93b6be6d734bc7f4d5b2a

C:\Program Files\Softland\novaPDF 11\Server\ServiceClient.dll

MD5 926b86c561d18515897004d215210d07
SHA1 5bcfa1ff586f3c6122a223001948574917e90228
SHA256 1a77a7faa537031109afc5f36cb4fa3b7dc1bccb801ba03055de035d0155a230
SHA512 2a714186d3d3d0d5fef164091d7b99f6995495f99929d4b69d87187352388771d4974c7aba4482d848e847795b050a285c494b1d16a2e7b5854d3b0a75fd67ca

C:\Program Files\Softland\novaPDF 11\Server\CryptUtil.dll

MD5 79eb306c590d009aeb2b48dc47dfbcde
SHA1 f00811fe04831aac6ac8f381da1a4c92ae6852fd
SHA256 74f1adca683560323eca0202724d90cbcb9c99e412b3271f93c71c215355a048
SHA512 4285c9c9fbd22ebe5fc56598f6bcd6c369ae2decdf1ffffd12f90dea472f73d3b7265822dc7493b8163005507ba11bcc4fb910b7f8e1bdc4be6ec1e9bb0fa918

C:\Program Files\Softland\novaPDF 11\Server\CryptUtil.dll.config

MD5 6f4f07264a08c8ffe2c1e30a278eec3d
SHA1 fb158cfe9f2c4f4667ee9e10a1f7b04f2f55796c
SHA256 31f25b058e47ffc9868badc437669874277e72eab9b97cd84f648af23ed11cd8
SHA512 d44ebbea750428b9715910b93a483485a08c001d886bac71302aa3229be5fc55a181d8230a0230e4d17a4bed548017c45118ce983e417c1161d0691d40dbeef9

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\nova11X64.cat

MD5 a5f6eecad8e7b7ada0671b9b92a8085d
SHA1 087b36dd09c42619c0b5c1fcfd2b67641f6e83f0
SHA256 8050ab7319e858b3713b8edddf020353462e9400461c16fb4e1c839431cad77a
SHA512 5ceda6f3730481bd8f89935d115cd036e17b33dc9f90d5aaf50aec3edca1ae0ced8d3a360fe3f2067cf623aa32455a930d7c36db4b23b90af278cbd304c1dc5d

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\nova11.inf

MD5 91fe190b49af65b4e0d2fb8439e648f3
SHA1 0e875c273fe786df8f254907f3ca4538a99113d8
SHA256 cbe2876c8591ae35da597810ad7a150fda2af0aa91b00fd41b8bd9b17940be89
SHA512 7b3bb892894d52bc0d717327dfc9c63303c86537d107def4563a1db2868e2f106fec9a110fd34f0decaf85fbb6567a094de38dc9ca3a94ef9aa7dd12393ed834

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novaem11.dll

MD5 8ccbd01b8be985402d33a85f0b7685cf
SHA1 b3995a77567f7bd3603869e5c6a5d7f98d7d6a69
SHA256 185c823b983836d3d6b1e24695a3c6cdbcb496c9e63912f393533856773941b5
SHA512 086e08ace5fb93dff4bf5825818cd1881e336784244471ab0b3aec61dec1a130c8f610bf4aae6d9af25ae34acdb00d83ef3ac6d47398c768259a7c6153ea0820

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novacl11.exe

MD5 14686055195ae66da87b6ae2fa13d04a
SHA1 e32ae99c2eacd3201e76b1634c75b62c2218a6da
SHA256 aa8652bda42197e98675512d112afde2cd211c83a48274cd24473949d784fea4
SHA512 8933f01d2db7ff5b545552cd7ed6578edae92f7c1b569e2cc0accb794c2119b917175defdcc5309156330c61b7c7264217443daba16f36aff5848c7bd87cce16

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novaui11.dll

MD5 4d6b653279884ef11ee4924dbeaff608
SHA1 10b3d0c6dd17afc0935873aa0505fb4ccc1585ea
SHA256 b3eff6eef3343f7e9495fda53e02dfec5488f4d9b97c2a61b2cac460c69e11d1
SHA512 e674cf18b81a513a4ca251e24cf1b1988f476c471fcef6a5f05f378cc6d541ecabab8abd18935e07224230716a8d1edc4b8c735a22e800793a21fea5f5cd7c51

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novaem11.exe

MD5 23e2e514e7fd294ad859909fb917eec9
SHA1 2b848a21e892840d04f85e6753b4b24a81188fe9
SHA256 6997e65d81e0b1c0e9b9847db7768d7445f1fec495b889cd9dcfac95ad04223f
SHA512 0c2422c2940680b988dd7cc6b2c382e5700e25909e27f77f3a453b8170d153c82852c49f32ca26a7336b201f9c56bd5ae001bb97dadcf554f6e0b2789678c394

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novaim11.dll

MD5 1bdecff0b7e06c3893a0cf39e9f50f47
SHA1 33252bb6ea615baae299a89984f374f30d17255f
SHA256 3b9fed8e1d8b50f19465a69b627ba2e39405452cd5c4b0732fb876ed64f3fab6
SHA512 f6302fe5b5781c68b609b1c0d14f7132440690e0d054f016574467cba0c734b924a1b6b5f4ca31325a01cdbf320ff825c76f2af488b7ff486b5bdaed4b7f3de2

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novaemex11.exe

MD5 42d52b013833bd609aa989d7146b06fa
SHA1 696ccd23fa2fb15aab2b2eeebee3b36d1cda00f2
SHA256 c5b76f7148fa99b3651bb32ba7e86e73907e424d0b7caf6c747717e5a54beaf8
SHA512 8fba65a23bf97cf91653a2564ee4405625b640dc72b9a4abc4d5677e242645ab414e5f7d76d2386f42c172acbd550242e2d26ecf6810abab2a67aed7e8155d03

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novaemex11.dll

MD5 96442ede092a7c3d6dbb23d43b24f3b0
SHA1 3b2560e76ca2fbd0f1c61ec755f907d097f14d6d
SHA256 ab8df9eef9ed07d03299ee8ab005031521c95872f52d6a384a467cb28f3f6e48
SHA512 85898b44b85e37b673ca172dd0b8fd9abcfb542f5de10ee3b189d033ba87d22e87b27827163c12da3c8e0a7078492a96a42870bbdbac7365fcb0b3e957bb1cfe

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novasv11.dll

MD5 41da65d0da9abe229593ed21cb44e5b7
SHA1 c91cdd29c5101d83cada16b96d03c0a272e60e85
SHA256 a18cb763053e5f6e6003a0fc3fc3d428de10de1941e8bff8115bcb24e240914a
SHA512 8410b1262499e27fa115174576f43ee0525efbcd9194e3321b07d8a1b559bd5b9272853166cd15cfbf65ee4dbadeb998e576fbfece8c1a918d516d32b7ed88cb

C:\Windows\System32\DriverStore\Temp\{0dc11e67-3c5d-f646-9a53-6f45281bf67f}\amd64\novapr11.dll

MD5 fb348264ca767844f595a957888dadb9
SHA1 fe70fe1d8d07ad672b691daca63d3b8c650208dd
SHA256 7a6ef493193243c0fd61909b61d2745c9759026dfd4d74a429245ef362229a4e
SHA512 42f0c86ce869d0b05f067b3d37983b41c065e0f4cd6a31df4379b7d4d71baa86bc00a249aee4927ba765cda33b41e0ef76ddbd80bdbf80cc79e9e1f83c43757a

C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\nova11X86.cat

MD5 6de8dd490d9fc1d9715033c80759cc99
SHA1 4bb7709660fff1aaf8445fe7e48f814fa2294225
SHA256 1cdae11c364ace04f9524fc5978fd3850f03348884aeb2734740c2cb73c25fd3
SHA512 6f6d80685188b80fe61883e305c8acb3f006a50ac0f2dd9f622d01266cad3a7590f05b0d22a57556d8b2d17bf30e01538fdcaba5cc1b5f59f0cd853f3b5e4a68

C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaemex11.dll

MD5 7f300c451428982bf8479a3f3c677afe
SHA1 8f5ddafd6370f6ed7bc5b35ec4e864a144276825
SHA256 3341b2a86032a9304c0d13cc46d7ed331f2ac15820263461e2b2d51372b962ff
SHA512 bc944844f65cdffaaa87dd2e718fa7c94cee7463ec31e0c7d3824cacec2636fd728848f262eee4d5f67a78ff8ad04a254ace24d7b52dce971528374912fc9300

C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaemex11.exe

MD5 e18a352b75666835a556629a66c57a1d
SHA1 91a0ff49d45b69ea8eb04b080597c41051c24754
SHA256 a50ff813c85b8eddd0ae07efd2cee184b3b9d2af06f70bbae2e26481f94900a7
SHA512 edcdeec850b2625a79de5ef9b4968781c8f715034ab43998ad7ace71659c9accf658470db439d8fc027f5e7b487a0f8d87f221fd020f98c96b9910a2e825ca76

C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaim11.dll

MD5 f67b251ab18f01d4ef5275fdcd994000
SHA1 5882d8a0fcb66117c9919fdbcd67d2e51fb6f8b2
SHA256 6093a95970ed1e951aa95a877c38e149ba204ea2b8ec5515e1e7e640eb57d3bd
SHA512 f833fc7eabae459dde3f1cf17baf3cd263313ea549e20dbedba50331defdfb97af9db12af0085c85c0dc57be6789fb39b36b519c5d790b6a29107bbe8b1aeb82

C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaem11.exe

MD5 feda75a36a9002529914d5ffc2168eb2
SHA1 272e987bf685bc1fead0146bf3eb648474ca873c
SHA256 52dd4601caa5625f054cc1c6c62abcf9235f661e1fae75028153aa81dbefa68c
SHA512 416feabb4a3edc7862b53c9cdd7eddad5a32a2c17e417697f97985506bd0dacb45eb6689659f317696a558ab67f377735d5ff548d6ec991a80f62486f394f90a

C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novasv11.dll

MD5 cd2423e7df0c8d97bed62671be2f67f6
SHA1 8b2049d3eb28b69d2eaee8d624c945f500fd4d5e
SHA256 8a5fac5b90ed7452d2be2cf7ef9f3e71c12b2b88e9168153b71ffd64d945ecd8
SHA512 3cbc6a1b3efa71b615579f8c9a9794002d7c16567e51be2beb435f997d9304d4f4fe9cf485e00931b10c3920529fb40ced9c7aeedb8873fe2ba1033deb304203

C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novapr11.dll

MD5 faa54cb7611e70471f4efec5bd9ab6df
SHA1 f5d5c231dad1dc5dfba834a41de742d3118a4812
SHA256 b68d23d72f441afdd954c2a0952e0d145f97725b9f820166626f0d7207d6c4c4
SHA512 39fb6831b326915392184bb24861af5357ab3d0bcb202c0472cf28cc71e63dd5a34420e2e22ece1e15f0b0e737aa0a2df2169dd580f1165d95e10135f6de6142

C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaui11.dll

MD5 b7d9ec478bb5eb1cc37c3c64b7ad41a9
SHA1 5417ff9b6ac444ef0dfd6159593fc6767aeae8e6
SHA256 ba9e7c9cfb567e7c8632d48d7d2a72d2911f2761f03c0241ffa369d80dae8188
SHA512 1a3a83518e8bd52d88513074c3d2faf7ec81bbe8d078a04ca35ffbe087d963e02671a302099ed99d239369e8cdef6d0f04baed28fe0746405b00d52c851de376

C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novacl11.exe

MD5 bd37b8a3e631fa00c8669a4f843356f5
SHA1 358f92e2c3e8a072c5e030d93dfe423e1135f08c
SHA256 3d2d183857a62eeaacc992f9cca0c4fa02cb73bc0eea4c91fe708d3b24ffcd58
SHA512 dd02ada855b6b51cfe062355b836c6f941feda6b210cda6d78e201ec487074c3030a3bf051ffd2b0f11603cda5874c15b53379c310a006f477243529a903c971

C:\Windows\System32\DriverStore\Temp\{28e9340e-b300-814e-a8a9-47f62340a87c}\i386\novaem11.dll

MD5 c237a6dd328624dcc34c5e7b24da2152
SHA1 c96faf4d9e703926abf1c210afd69e1e2c835072
SHA256 ef87855852b486baab730731d0e2602d1d8f830872e9ffc8ad7deaae5d3f2896
SHA512 070de9111c179fb8e7b4ce259e275504b3a391eaf2a4bd7eb0f44199cc6703720aa0abf28f2442fcd0a633de7e0276580a09132310472ce9d0888a4373a57512

C:\Windows\Installer\MSIE8A1.tmp

MD5 93394d2866590fb66759f5f0263453f2
SHA1 2f0903d4b21a0231add1b4cd02e25c7c4974da84
SHA256 5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b
SHA512 f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

C:\Windows\Installer\MSIEC8B.tmp

MD5 b2e2c24ebce4f188cf28b9e1470227f5
SHA1 9de61721326d8e88636f9633aa37fcb885a4babe
SHA256 233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69
SHA512 343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354

memory/4140-1987-0x000001F92C800000-0x000001F92C810000-memory.dmp

memory/4140-1988-0x00007FFB19950000-0x00007FFB1A411000-memory.dmp

memory/4140-1989-0x00007FFB14AB0000-0x00007FFB15263000-memory.dmp

memory/4140-1990-0x00007FFB14AB0000-0x00007FFB15263000-memory.dmp

memory/4140-1991-0x00007FFB1B630000-0x00007FFB1B77E000-memory.dmp

memory/4140-1992-0x000001F945B30000-0x000001F945B7E000-memory.dmp

memory/4140-1993-0x000001F945BF0000-0x000001F945C58000-memory.dmp

memory/4140-1994-0x000001F92D0A0000-0x000001F92D0B0000-memory.dmp

memory/4140-1995-0x000001F92D0B0000-0x000001F92D0BC000-memory.dmp

memory/4140-1996-0x000001F945BD0000-0x000001F945BE2000-memory.dmp

memory/4140-1997-0x000001F946520000-0x000001F94655C000-memory.dmp

memory/4140-1998-0x000001F9465B0000-0x000001F9465F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052752_ManagePortMonitor.log

MD5 77354652d1683687fd51026e1d8b1656
SHA1 1ada1191e1bf533374c65a7507000f01686b4bbf
SHA256 7b2eab4a49ef9be1032c253eaf12067153d605a2fe8aafff3a7726df28ae4007
SHA512 ee29b3ec133bb14b7db08885138257f81c3a6fc9031fec5c0b1ddacf402d897baf3f4be745103f7d3326e428cfd061ffc8f19ab5311f869016996caa50d9a1c3

memory/4140-2009-0x00007FFB14AB0000-0x00007FFB15263000-memory.dmp

memory/4140-2011-0x00007FFB14AB0000-0x00007FFB15263000-memory.dmp

memory/4140-2012-0x00007FFB19950000-0x00007FFB1A411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052812_ManagePortMonitor.log

MD5 0913109ae7ea64521c13bcdb1a2db25d
SHA1 4ceba6b77d13d67964fa945e8500e33a22ab58fa
SHA256 d6e2640d193749ec6136d71b4dfbd277194e750b52f77d176ef7e6b1ed2125d5
SHA512 ea9322253d391f602994503b68fbf24d7e63dc37ddd4b21d71c0855163419d95f3c92156546552865e66be90288286aeb0c36450dd0729f1f1eb3dd3b765ddd2

C:\Windows\Installer\MSI5328.tmp

MD5 956bfe0a399d724c29a29104d5b3429a
SHA1 2590ca6819fb7036cec6a9c492031f917bbf0e1c
SHA256 07c7db69ff3e39330d818ad1765ebf644a945fedf9467234da28f585b55b7ab2
SHA512 c00ac44c3b34fdcff3bff8d47ee85ae85c629010fd0dadfc1b25fb8764df23abd143c65a60e08f05b388cbc5c1849935d608e4156604732e2987615304210f16

memory/4140-2035-0x000001F945B20000-0x000001F945B30000-memory.dmp

memory/4140-2036-0x00007FFB14AB0000-0x00007FFB15263000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052814_ManagePortMonitor.log

MD5 307afa3ce8d001b21e3e530cb95e8adb
SHA1 ed759d5cc4064ec0b7d5342ec9fcea39e315acdf
SHA256 1e2cd1b09a42597a490ba4a1f1eb14732ad89fb0d302c3b9fc4a912a622a5154
SHA512 a9d3f80486dc21ebfb1983cb6535f50a80f5965916b1aed067d1203d303b453a67b8d4bdd1089d4c9d35bae48bc4ad1145d80803918ceba3cc109b58aa3ace0f

memory/4140-2049-0x00007FFB14AB0000-0x00007FFB15263000-memory.dmp

C:\Windows\Installer\e5a52c2.msi

MD5 626d77475cc29cdbed79003704e3fd1d
SHA1 ab65f26475c2866e7022149625acce945bc082b4
SHA256 c0d21283964616b59b44505dd3a10877b3ad2ad12a45e2eae7ffd3c994179662
SHA512 8286ccb0def3bb6180b263d223437afad2a44afe27098ebfeb7e67c3092a5424297fd8952402fab4aea2e162bcd9f9caa331b142612de297f2ccba4e4bce1abe

C:\Config.Msi\e5a52c1.rbs

MD5 32dd1f80845a1ca624a5b9cb8d99d0eb
SHA1 e626dde24c88877e5f6e06b6d8e9e06ed586ff2b
SHA256 01fb518f91747147c53a2bab2a35e32e5c1043471e889c722044d76b5410a13a
SHA512 c05ade4d048af7afff9dda8f9759d964fc6687199083f9d0e60513a1c1ce9599dc1d449bcd361f8d87654e994b1b4f648b5dd34d8180e585595d0bda05010b2c

C:\Windows\Installer\MSIB1D5.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052839_CustomActions.log

MD5 e7f3fbb6c3431319bdd98377da910ec4
SHA1 4455dadf72528c907c4ce4a3f31d7fc5306401a3
SHA256 3b1cef0f3f7482ba41596562d8b03e15428ea2abc34725d19041cb0d5f559986
SHA512 32d7473b267cc98cb4c75e508a38d7bdf6c0f4ae98526134b0bff6950d50d7b59b2ece11f22b9db36a68b0f68226eb9d48e80035ba4a7b8e28243faf3c03b3d3

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052844_CustomActions.log

MD5 95cfe8fe72220c32bc5e50c26eb12546
SHA1 d8fbdea5bacf54034bb2ae859669cdad4925e22a
SHA256 eff2caadf68340c1f73f6d667638ffaf99480e7385986d894ed8c7c5264e4a7f
SHA512 f460c89d6273a747edc2b6c11a0da7da08c3a5b6d97e623cc21c1e0d99b4a9c7af17b0a1de00b355d1c3b995cb9cfc0c6e1f7f0cf6f09e3b0654fd76e4a422fd

C:\Windows\Installer\e5a52c7.msi

MD5 bc43a6bafd37ed27d84a0498b3a4fe93
SHA1 79934402f282e4f57a6f1552b91c220593c8055d
SHA256 7003644b51f7862ace42be93dfb3d289f7c7e6e54b72030114f8c636cd6b0047
SHA512 a0cb630f1b43ca6e3cc82690fcdab40e8e9113f0aa6380c3925991685a81fd2360811bc2e1328a5d37618186a64b71158f562dfd8247631af3f02edf6fc07ccc

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052845_ManagePortMonitor.log

MD5 576035728b33596a52a4779221d313f1
SHA1 42cebfa7fc021dc570bc6d93a04c97b3240e886f
SHA256 eb99221522e0f659ea96f6fabc461033d8b157b2ed75ff5499457b31ae0f3e92
SHA512 d7ff1ceaf464c36176c0859474a78d511c024b8a7091adff24f7ebf8cb08424639963d26d85faa387c4b8e1e806e8303447ea078e27b04bff8106e8bee2b1ca0

C:\Users\Admin\AppData\Local\Temp\novaPDF_11_20240308052845_ManagePortMonitor.log

MD5 a5c6436b04d2c0de9810df6a7a8adf9b
SHA1 20dfb90ec7e4a6305d653aee7322ade3762cd6bb
SHA256 959910fb0f52faa11d16fd2feb133dd4738cd04300eeabd4947989ff18489c33
SHA512 6807899423524cbb820e8c19a7fce7ebadbae9a51bfef694b61117ea919d7c83ef059a355745f6df4fd7a0170d1138c0f45f419bfe2a170e967bf3dfed2103de

C:\Windows\Installer\MSIE9A4.tmp

MD5 32fadfa508e7c769f951cc9ce3e42a97
SHA1 ae911ba3f76217202d1f0a4dc1f9f5f1ced3b3e3
SHA256 aa30bc1a87dd1514a3b7f781f40fc465dbf215f55733cca48f8666aca2364ebe
SHA512 768f171a53388995c4ad5e2280f0f5b6f01bba04db91fb53f068cd63e69c510618852eb36ccf57238d6d3b8a15ab5ad0a35094f479822792ee763901076fa748

memory/992-2236-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/992-2238-0x0000000002250000-0x0000000002260000-memory.dmp

memory/992-2239-0x0000000002250000-0x0000000002260000-memory.dmp

memory/992-2240-0x0000000002250000-0x0000000002260000-memory.dmp

memory/992-2241-0x0000000002250000-0x0000000002260000-memory.dmp

memory/992-2248-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/2776-2260-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/2776-2261-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/2776-2263-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/2776-2264-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/2776-2265-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/2776-2262-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/2776-2272-0x00000000733D0000-0x0000000073B80000-memory.dmp

memory/3976-2290-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1580-2308-0x0000000000400000-0x000000000047D000-memory.dmp

memory/640-2314-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2184-2336-0x0000000000400000-0x000000000047D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-08 05:23

Reported

2024-03-08 05:28

Platform

win11-20240221-en

Max time kernel

300s

Max time network

264s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://extra-ram.soft112.com/

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133543490379514445" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 4300 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4300 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4872 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1376 wrote to memory of 4732 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://extra-ram.soft112.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7fff6c619758,0x7fff6c619768,0x7fff6c619778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1840,i,9251596975918166242,1396278197369055692,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1840,i,9251596975918166242,1396278197369055692,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1840,i,9251596975918166242,1396278197369055692,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1840,i,9251596975918166242,1396278197369055692,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1840,i,9251596975918166242,1396278197369055692,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4928 --field-trial-handle=1840,i,9251596975918166242,1396278197369055692,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1840,i,9251596975918166242,1396278197369055692,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1840,i,9251596975918166242,1396278197369055692,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3704 --field-trial-handle=1840,i,9251596975918166242,1396278197369055692,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 extra-ram.soft112.com udp
US 209.222.98.21:443 www.soft112.com tcp
US 209.222.98.21:443 www.soft112.com tcp
US 8.8.8.8:53 21.98.222.209.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 209.222.98.21:443 www.soft112.com tcp
GB 172.217.16.238:443 fundingchoicesmessages.google.com tcp
US 209.222.98.21:443 www.soft112.com tcp
US 209.222.98.21:443 www.soft112.com tcp
GB 216.58.201.106:443 content-autofill.googleapis.com tcp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
US 13.107.246.64:443 www.clarity.ms tcp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
GB 216.58.201.97:443 lh3.googleusercontent.com udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
BE 108.177.15.154:443 stats.g.doubleclick.net tcp
BE 108.177.15.154:443 stats.g.doubleclick.net tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
GB 216.58.204.67:443 www.google.co.uk tcp
GB 216.58.204.67:443 www.google.co.uk udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 20.119.174.243:443 r.clarity.ms tcp
IE 68.219.88.97:443 c.clarity.ms tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 154.15.177.108.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 c.bing.com udp
US 204.79.197.200:443 c.bing.com tcp
N/A 224.0.0.251:5353 udp
US 20.119.174.243:443 r.clarity.ms tcp
GB 216.58.204.67:443 www.google.co.uk udp
US 192.178.49.3:443 beacons.gcp.gvt2.com tcp
GB 216.58.204.67:443 www.google.co.uk tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 192.178.49.3:443 beacons.gcp.gvt2.com udp
GB 216.58.204.67:443 www.google.co.uk udp
US 192.178.49.3:443 beacons.gcp.gvt2.com udp
US 20.119.174.243:443 r.clarity.ms tcp
US 20.119.174.243:443 r.clarity.ms tcp

Files

\??\pipe\crashpad_1376_UHGJYZNDDWCJKYMA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 8564b856d9e05bffbee6fde285e7644b
SHA1 057808b90ea03815cb2c0260f989f157eb04d702
SHA256 48bf3dd4070c98ff56171cc33eba8296a3d84dfb7d583285154a5bcc250826ed
SHA512 fca7f58ae0be2d6221fe587c3f55555b74ba91853632c817d14af8419ad802162d08a4e09a643a0ee282eddd4811aaf638317aba91dd50994fe7ff693caed4e9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 20d6c2902b52d1a61e253d2eea98bcd4
SHA1 6d5be65488a5af05e7055a9036e7e359e9d43662
SHA256 bde227061cc77ffac04a083570f2d7433109c449cd47e2b27953d5d293f47b30
SHA512 02073f3cc5aafc8e4f6f54d23727fad081ee44ffd862d1d5eb23f0b165cb801d6a8d35fd26cc62c70e7ed5edff9f6476ce1751b4c8f2d371f50598787227e838

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 491c5c1f6c1a36c507861a8ac893a1bc
SHA1 ccb441769c9e286778cfd0bfe25154037a1f06f8
SHA256 dbebdc8e9273e274fc248d3c5be68d629aa19486443c44672b47dd212f8bab2b
SHA512 fe9bf32cdc025dcee13652ae6e73b0d185d31f278ebc0e651f793aa7a0f7c9c7f7200325a814b144764b41516aba486aceaecf067c03ef9e5e7cf11da02d0138

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d9d567206d5bbde485c71ae12c7b11f0
SHA1 0d6def29daab459239a0a05db07566dfbe543531
SHA256 1bf4b27b829cc790f41e1b4fa0da7ea56c44c545c9133d195e64378676b5b662
SHA512 4dc1e58518479ea9badbd0fc0d2ac866d690839c876bb8c507507a3441336b3a2091e657e0834eb374c0ca949ba4509e12c6ff179422678bc18a08b03b406117

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 f99921233d0215c84710a79f0e25f4de
SHA1 0da5015ca5e2c3f870224a5bdfec451f02db85fe
SHA256 179d6fca661aca68334a1938562acfeadd6767d7774bd44df4d77296db21e411
SHA512 35bd721dff64ce555d1ae3fa2b095059f20e7532516a08033192dbbf6af48aff70f2a9d159c06507f3b2dfe2f8f810580544aa8a16826fbcc8b0d4246422e17a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 99ae28a9c58643c56de9b6e3a09b1339
SHA1 604308191c67cac297dd12d7d534aeaf81c17d96
SHA256 caacc247ed461492d7d5f9cabf4ce4b5392882a9047afa320741bb840722b9d8
SHA512 1069736a4f903ab86c2fa787580eea693e9bec8982b8fb49ad9016a0cde886d3c85843549d713b00526b745856b1e9e761ca16e670dcece78280e640c25f8932

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 9e1107726d4d4ec01e1b8cec6e45795f
SHA1 0ea4d0797b3a6746517f2639da74ad2f47f3735a
SHA256 73acc1854fa9fb0dc5b6e6cd3bbbe6252c7408c7714e05fa17a3aee08c0c4985
SHA512 4b352a99f0bf6c10b80b5f3af006387d96c581efc3e008303ddd46d8236478ff0033c911307e398c7b961193746133abe8adecb67a40f093f626ceaf08137d3b