1024b5fa915768f1b8d83eea9be01dcd664401b8c4732223733f2bc2689c78d5

Analysis

max time kernel
360s
max time network
362s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDFCreator-1_7_1_setup [1].exe
Size

17.0MB
MD5

2b0cbab7d9dbb405421f2397967d021c
SHA1

9434866971dd357600c9f2b1e31b7893c3a070f0
SHA256

1024b5fa915768f1b8d83eea9be01dcd664401b8c4732223733f2bc2689c78d5
SHA512

423d7656799a96033f336cadcbb70ca52dacd22fe23fb41197105011809e89aaaec9a9f38fa007cf4091debc3c83e54347bd02f8d3ca4d18df39ee48a7823e88
SSDEEP

393216:6D7co9AY9qIV0vZas83lfwu9GI7tmbL7aGe1Vsn:6D7coWIPs83lfDGXraG2Vsn

Score

8^/10

discovery persistence

Malware Config

Signatures

Registers new Print Monitor 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\pdfcmon	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\pdfcmon\PdfCreator = "C:\\Program Files (x86)\\PDFCreator\\PDFCreator.exe"	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\pdfcmon\Port = "pdfcmon"	PDFCreator-1_7_1_setup [1].tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	PDFCreator-1_7_1_setup [1].tmp

Executes dropped EXE 7 IoCs

pid	Process
2328	PDFCreator-1_7_1_setup [1].tmp
2600	DownloadUpdateInfo.exe
2736	DownloadUpdateInfo.tmp
2452	PDFCreator.exe
2668	InstallCheck.exe
3032	InstallCheck.tmp
528	PDFCreator.exe

Loads dropped DLL 42 IoCs

pid	Process
2232	PDFCreator-1_7_1_setup [1].exe
2328	PDFCreator-1_7_1_setup [1].tmp
2328	PDFCreator-1_7_1_setup [1].tmp
2328	PDFCreator-1_7_1_setup [1].tmp
2328	PDFCreator-1_7_1_setup [1].tmp
2600	DownloadUpdateInfo.exe
2736	DownloadUpdateInfo.tmp
2736	DownloadUpdateInfo.tmp
2736	DownloadUpdateInfo.tmp
2328	PDFCreator-1_7_1_setup [1].tmp
2484	RunDll32.exe
2484	RunDll32.exe
2872	RunDll32.exe
2872	RunDll32.exe
2328	PDFCreator-1_7_1_setup [1].tmp
2328	PDFCreator-1_7_1_setup [1].tmp
2328	PDFCreator-1_7_1_setup [1].tmp
2328	PDFCreator-1_7_1_setup [1].tmp
2328	PDFCreator-1_7_1_setup [1].tmp
2328	PDFCreator-1_7_1_setup [1].tmp
1408	regsvr32.exe
1576	regsvr32.exe
2016	regsvr32.exe
2328	PDFCreator-1_7_1_setup [1].tmp
1220	RegAsm.exe
1220	RegAsm.exe
1220	RegAsm.exe
1220	RegAsm.exe
1220	RegAsm.exe
400	Process not Found
400	Process not Found
400	Process not Found
400	Process not Found
400	Process not Found
400	Process not Found
400	Process not Found
2328	PDFCreator-1_7_1_setup [1].tmp
2668	InstallCheck.exe
3032	InstallCheck.tmp
3032	InstallCheck.tmp
528	PDFCreator.exe
528	PDFCreator.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}\ = "Create PDF and Bitmap Files with PDFCreator"	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}\command	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}\command\ = "\"C:\\Program Files (x86)\\PDFCreator\\pdfcreator.exe\" -NOSTART -PF\"%1\""	PDFCreator-1_7_1_setup [1].tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-2Q4N0.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Windows\system32\spool\DRIVERS\x64\is-5A9LS.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Windows\system32\spool\DRIVERS\x64\is-KSF4I.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Windows\system32\spool\DRIVERS\x64\is-JI777.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Windows\SysWOW64\is-R1JEO.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Windows\SysWOW64\is-VBRK8.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Windows\system32\spool\DRIVERS\x64\is-MQHJ7.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Windows\system32\spool\DRIVERS\x64\is-5E9MR.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Windows\system32\spool\DRIVERS\x64\is-H65C7.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Windows\system32\is-4CHD4.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Windows\SysWOW64\is-3921S.tmp	PDFCreator-1_7_1_setup [1].tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-QANQC.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-GMBJC.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-PPVTP.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-HO7O2.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-VP3UB.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\Windows Scripting Host\VBScripts\is-0Q50P.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\PlugIns\pdfforge\is-1I4OL.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-CF5TF.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-24SD3.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-C2CUV.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-UDTAF.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-DQ4AH.tmp	PDFCreator-1_7_1_setup [1].tmp
File opened for modification	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\PDFX_def.ps	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-UPOGI.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-C6P5L.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-IIKTH.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-JSGBU.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\VB6\Sample2\is-R1IT9.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\Dot Net\VS2005\Visual Basic\Sample1\is-IN5CI.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\Windows Scripting Host\VBScripts\is-HOUR7.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-ONHVP.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-O4HCP.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-I8Q4K.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-1FB77.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-RVHU9.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-4CHDU.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-TNN5L.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\VB6\Sample2\is-BJR54.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-B7NIN.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-8BFFA.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-K7D7A.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\VB6\Sample1\is-1VTS9.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-OGDUJ.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-K1LJJ.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-KIM8P.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-KPP20.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\MS Office\is-UUICL.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-4NH26.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-5S3K2.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\Dot Net\VS2005\C#\Sample2\is-0MGVP.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\Dot Net\VS2005\Visual Basic\Sample2\is-UF67B.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\WinBatch\is-RING7.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-HI81A.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-2S5QS.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\Dot Net\VS2005\Visual Basic\Sample1\is-S48HI.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Bin\is-3KBF8.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-K7EQF.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-S8Q2O.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\VB6\Sample1\is-2OR82.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-VOUAR.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-IBGRK.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-2GGCK.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\Dot Net\VS2005\C#\Sample1\is-1MO5V.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\Python\is-AT1Q6.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-E6SBC.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-PMEOR.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-73CTT.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-DJHDN.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\Scripts\RunProgramAfterSaving\is-86FUG.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\COM\Windows Scripting Host\VBScripts\is-7FSQV.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-JG8K4.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-BA9DU.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\Images2PDF\Languages\is-T2884.tmp	PDFCreator-1_7_1_setup [1].tmp
File created	C:\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Lib\is-LSLH1.tmp	PDFCreator-1_7_1_setup [1].tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000097863ab50e31864f8007178451cfd01a000000000200000000001066000000010000200000005d14db10801440675f39b1d19b719d04e948bba09bd94653278ff0249ff23982000000000e800000000200002000000080e285cc360d71bd4a963fc0779f26477157ea2b9581997e51e2cba0488c275520000000cfe6e21c952064adcea5ff6efdd1324735d8ac30bfc02337f8f02d4f662c6f40400000007548876cf497796a53c9cfcff1a290151c441d6b7c323941a279476a7d27f1c55ddc1df7f57b4cf782082ff7bf3a89e3e7f440b499fb8f3bc998c21bfed6cf9a	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0c0059e258fda01	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Printers\DevModePerUser\PDFCreator = 500044004600430072006500610074006f007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001040006dc005c0353ef8101010009009a0b3408640001000f005802020001005802030001004100340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000010000000200000001000000000000000000000000000000000000000000000050524956e2300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018000000000010271027102700001027000000000000000088005c03000000000000000001000000000000000000000000000000030000000000000000001000503403002888040000000000000000000000010000000000000000000000000000000000e7b14b4c0300000005000a00ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000088000000534d544a0000000010007800500044004600430072006500610074006f00720000005265736f6c7574696f6e00363030647069005061676553697a650041340050616765526567696f6e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	PDFCreator-1_7_1_setup [1].tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Printers\DevModes2\PDFCreator = 500044004600430072006500610074006f007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001040006dc005c0353ef8101010009009a0b3408640001000f005802020001005802030001004100340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000010000000200000001000000000000000000000000000000000000000000000050524956e2300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018000000000010271027102700001027000000000000000088005c03000000000000000001000000000000000000000000000000030000000000000000001000503403002888040000000000000000000000010000000000000000000000000000000000e7b14b4c0300000005000a00ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000088000000534d544a0000000010007800500044004600430072006500610074006f00720000005265736f6c7574696f6e00363030647069005061676553697a650041340050616765526567696f6e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDFCreator	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDFCreator\Program\Language = "english"	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDFCreator\Ghostscript\DirectoryGhostscriptResource = "C:\\Program Files (x86)\\PDFCreator\\GS9.07\\gs9.07\\Resource"	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\USER\.DEFAULT\Printers\DevModePerUser	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\PDFCreator\Ghostscript	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\USER\.DEFAULT\Printers\DevModes2	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDFCreator\Program\LastsaveDirectory = "<MyFiles>"	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDFCreator\Ghostscript\DirectoryGhostscriptBinaries = "C:\\Program Files (x86)\\PDFCreator\\GS9.07\\gs9.07\\Bin"	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\USER\.DEFAULT	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\USER\.DEFAULT\Software	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDFCreator\Program	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDFCreator\Program\AutosaveDirectory = "<MyFiles>"	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDFCreator\Program\PrinterTemppath = "<Temp>PDFCreator\\"	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDFCreator\Ghostscript\DirectoryGhostscriptFonts = "C:\\Program Files (x86)\\PDFCreator\\Gs9.07\\Fonts"	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\PDFCreator\Ghostscript\DirectoryGhostscriptLibraries = "C:\\Program Files (x86)\\PDFCreator\\GS9.07\\gs9.07\\Lib"	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\PDFCreator\Program	PDFCreator-1_7_1_setup [1].tmp

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider.2\CLSID\ = "{F08DF954-8592-11D1-B16A-00C0F0283628}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2\CLSID\ = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\VersionIndependentProgID\ = "MSComCtl2.MonthView"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64D9C1FF-6CF5-4427-9F8B-398673D5AE70}\LocalServer32	PDFCreator.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	PDFCreator.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{979127D3-7D01-4FDE-AF65-A698091468AF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl\CLSID\ = "{DD9DA666-8594-11D1-B16A-00C0F0283628}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{887104EB-1F2D-404E-BC3A-572C063747D8}\ProxyStubClsid32	PDFCreator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEB14A2E-CB48-377C-AA3F-13576A1B1984}\ProgId	RegAsm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	PDFCreator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX, 2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\MiscStatus\1\ = "172433"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\shell\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}\command	PDFCreator-1_7_1_setup [1].tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{95F0B3BE-E8AC-4995-9DCA-419849E06410}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX, 2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20C62CA0-15DA-101B-B9A8-444553540000}\TypeLib\ = "{20C62CAE-15DA-101B-B9A8-444553540000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSMAPI.MAPISession.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.Animation.2\CLSID\ = "{B09DE715-87C1-11D1-8BE3-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\ = "Microsoft ListView Control 6.0 (SP6)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}\VersionIndependentProgID\ = "MSComctlLib.SBarCtrl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20C62CA0-15DA-101B-B9A8-444553540000}\Version\ = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB1AE0D1-634E-11CF-8996-00AA00688B10}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WSFFile\shell\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}\command	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F0-7697-11D1-A1E9-00A0C90F2731}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider\ = "Microsoft Slider Control 6.0 (SP6)"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideShowMacroEnabled.12\shell\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}\command\ = "\"C:\\Program Files (x86)\\PDFCreator\\pdfcreator.exe\" -NOSTART -PF\"%1\""	PDFCreator-1_7_1_setup [1].tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pdfforge.Tools\CLSID\ = "{13D27D54-C7F6-36BD-AC6A-322B042722A9}"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13D27D54-C7F6-36BD-AC6A-322B042722A9}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/PDFCreator/PlugIns/pdfforge/pdfforge.DLL"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{603C7E7F-87C2-11D1-8BE3-0000F8754DA1}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl.2\CLSID\ = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.1\ = "Microsoft Windows Common Controls 6.0 (SP6)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{556C2772-F1AD-4DE1-8456-BD6E8F66113B}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA053A30-69D9-3C83-84FB-B447A32888F4}\ProgId	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C4-4442-11D1-8906-00A0C9110049}\TypeLib\Version = "6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}\ProgID\ = "MSComctlLib.ListViewCtrl.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl.2\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2484	RunDll32.exe
2484	RunDll32.exe
2872	RunDll32.exe
2872	RunDll32.exe
2484	RunDll32.exe
2484	RunDll32.exe
2872	RunDll32.exe
2872	RunDll32.exe
2484	RunDll32.exe
2484	RunDll32.exe
2872	RunDll32.exe
2872	RunDll32.exe
2484	RunDll32.exe
2484	RunDll32.exe
2872	RunDll32.exe
2872	RunDll32.exe
2484	RunDll32.exe
2484	RunDll32.exe
2872	RunDll32.exe
2872	RunDll32.exe
2484	RunDll32.exe
2484	RunDll32.exe
2872	RunDll32.exe
2872	RunDll32.exe
2484	RunDll32.exe
2484	RunDll32.exe
2872	RunDll32.exe
2872	RunDll32.exe
2484	RunDll32.exe
2872	RunDll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
528	PDFCreator.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeSecurityPrivilege	2760	msiexec.exe
Token: SeCreateTokenPrivilege	2624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2624	msiexec.exe
Token: SeLockMemoryPrivilege	2624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2624	msiexec.exe
Token: SeMachineAccountPrivilege	2624	msiexec.exe
Token: SeTcbPrivilege	2624	msiexec.exe
Token: SeSecurityPrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeLoadDriverPrivilege	2624	msiexec.exe
Token: SeSystemProfilePrivilege	2624	msiexec.exe
Token: SeSystemtimePrivilege	2624	msiexec.exe
Token: SeProfSingleProcessPrivilege	2624	msiexec.exe
Token: SeIncBasePriorityPrivilege	2624	msiexec.exe
Token: SeCreatePagefilePrivilege	2624	msiexec.exe
Token: SeCreatePermanentPrivilege	2624	msiexec.exe
Token: SeBackupPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeShutdownPrivilege	2624	msiexec.exe
Token: SeDebugPrivilege	2624	msiexec.exe
Token: SeAuditPrivilege	2624	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2624	msiexec.exe
Token: SeChangeNotifyPrivilege	2624	msiexec.exe
Token: SeRemoteShutdownPrivilege	2624	msiexec.exe
Token: SeUndockPrivilege	2624	msiexec.exe
Token: SeSyncAgentPrivilege	2624	msiexec.exe
Token: SeEnableDelegationPrivilege	2624	msiexec.exe
Token: SeManageVolumePrivilege	2624	msiexec.exe
Token: SeImpersonatePrivilege	2624	msiexec.exe
Token: SeCreateGlobalPrivilege	2624	msiexec.exe
Token: 33	528	PDFCreator.exe
Token: SeIncBasePriorityPrivilege	528	PDFCreator.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2328	PDFCreator-1_7_1_setup [1].tmp
1668	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1668	iexplore.exe
1668	iexplore.exe
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
528	PDFCreator.exe
528	PDFCreator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2328	2232	PDFCreator-1_7_1_setup [1].exe	28
PID 2232 wrote to memory of 2328	2232	PDFCreator-1_7_1_setup [1].exe	28
PID 2232 wrote to memory of 2328	2232	PDFCreator-1_7_1_setup [1].exe	28
PID 2232 wrote to memory of 2328	2232	PDFCreator-1_7_1_setup [1].exe	28
PID 2232 wrote to memory of 2328	2232	PDFCreator-1_7_1_setup [1].exe	28
PID 2232 wrote to memory of 2328	2232	PDFCreator-1_7_1_setup [1].exe	28
PID 2232 wrote to memory of 2328	2232	PDFCreator-1_7_1_setup [1].exe	28
PID 2328 wrote to memory of 2600	2328	PDFCreator-1_7_1_setup [1].tmp	29
PID 2328 wrote to memory of 2600	2328	PDFCreator-1_7_1_setup [1].tmp	29
PID 2328 wrote to memory of 2600	2328	PDFCreator-1_7_1_setup [1].tmp	29
PID 2328 wrote to memory of 2600	2328	PDFCreator-1_7_1_setup [1].tmp	29
PID 2328 wrote to memory of 2600	2328	PDFCreator-1_7_1_setup [1].tmp	29
PID 2328 wrote to memory of 2600	2328	PDFCreator-1_7_1_setup [1].tmp	29
PID 2328 wrote to memory of 2600	2328	PDFCreator-1_7_1_setup [1].tmp	29
PID 2600 wrote to memory of 2736	2600	DownloadUpdateInfo.exe	30
PID 2600 wrote to memory of 2736	2600	DownloadUpdateInfo.exe	30
PID 2600 wrote to memory of 2736	2600	DownloadUpdateInfo.exe	30
PID 2600 wrote to memory of 2736	2600	DownloadUpdateInfo.exe	30
PID 2600 wrote to memory of 2736	2600	DownloadUpdateInfo.exe	30
PID 2600 wrote to memory of 2736	2600	DownloadUpdateInfo.exe	30
PID 2600 wrote to memory of 2736	2600	DownloadUpdateInfo.exe	30
PID 2328 wrote to memory of 2484	2328	PDFCreator-1_7_1_setup [1].tmp	31
PID 2328 wrote to memory of 2484	2328	PDFCreator-1_7_1_setup [1].tmp	31
PID 2328 wrote to memory of 2484	2328	PDFCreator-1_7_1_setup [1].tmp	31
PID 2328 wrote to memory of 2484	2328	PDFCreator-1_7_1_setup [1].tmp	31
PID 2328 wrote to memory of 2484	2328	PDFCreator-1_7_1_setup [1].tmp	31
PID 2328 wrote to memory of 2484	2328	PDFCreator-1_7_1_setup [1].tmp	31
PID 2328 wrote to memory of 2484	2328	PDFCreator-1_7_1_setup [1].tmp	31
PID 2328 wrote to memory of 2872	2328	PDFCreator-1_7_1_setup [1].tmp	32
PID 2328 wrote to memory of 2872	2328	PDFCreator-1_7_1_setup [1].tmp	32
PID 2328 wrote to memory of 2872	2328	PDFCreator-1_7_1_setup [1].tmp	32
PID 2328 wrote to memory of 2872	2328	PDFCreator-1_7_1_setup [1].tmp	32
PID 2328 wrote to memory of 2872	2328	PDFCreator-1_7_1_setup [1].tmp	32
PID 2328 wrote to memory of 2872	2328	PDFCreator-1_7_1_setup [1].tmp	32
PID 2328 wrote to memory of 2872	2328	PDFCreator-1_7_1_setup [1].tmp	32
PID 2328 wrote to memory of 1324	2328	PDFCreator-1_7_1_setup [1].tmp	33
PID 2328 wrote to memory of 1324	2328	PDFCreator-1_7_1_setup [1].tmp	33
PID 2328 wrote to memory of 1324	2328	PDFCreator-1_7_1_setup [1].tmp	33
PID 2328 wrote to memory of 1324	2328	PDFCreator-1_7_1_setup [1].tmp	33
PID 2328 wrote to memory of 1324	2328	PDFCreator-1_7_1_setup [1].tmp	33
PID 2328 wrote to memory of 1324	2328	PDFCreator-1_7_1_setup [1].tmp	33
PID 2328 wrote to memory of 1324	2328	PDFCreator-1_7_1_setup [1].tmp	33
PID 2328 wrote to memory of 1408	2328	PDFCreator-1_7_1_setup [1].tmp	34
PID 2328 wrote to memory of 1408	2328	PDFCreator-1_7_1_setup [1].tmp	34
PID 2328 wrote to memory of 1408	2328	PDFCreator-1_7_1_setup [1].tmp	34
PID 2328 wrote to memory of 1408	2328	PDFCreator-1_7_1_setup [1].tmp	34
PID 2328 wrote to memory of 1408	2328	PDFCreator-1_7_1_setup [1].tmp	34
PID 2328 wrote to memory of 1408	2328	PDFCreator-1_7_1_setup [1].tmp	34
PID 2328 wrote to memory of 1408	2328	PDFCreator-1_7_1_setup [1].tmp	34
PID 2328 wrote to memory of 1576	2328	PDFCreator-1_7_1_setup [1].tmp	35
PID 2328 wrote to memory of 1576	2328	PDFCreator-1_7_1_setup [1].tmp	35
PID 2328 wrote to memory of 1576	2328	PDFCreator-1_7_1_setup [1].tmp	35
PID 2328 wrote to memory of 1576	2328	PDFCreator-1_7_1_setup [1].tmp	35
PID 2328 wrote to memory of 1576	2328	PDFCreator-1_7_1_setup [1].tmp	35
PID 2328 wrote to memory of 1576	2328	PDFCreator-1_7_1_setup [1].tmp	35
PID 2328 wrote to memory of 1576	2328	PDFCreator-1_7_1_setup [1].tmp	35
PID 2328 wrote to memory of 2016	2328	PDFCreator-1_7_1_setup [1].tmp	36
PID 2328 wrote to memory of 2016	2328	PDFCreator-1_7_1_setup [1].tmp	36
PID 2328 wrote to memory of 2016	2328	PDFCreator-1_7_1_setup [1].tmp	36
PID 2328 wrote to memory of 2016	2328	PDFCreator-1_7_1_setup [1].tmp	36
PID 2328 wrote to memory of 2016	2328	PDFCreator-1_7_1_setup [1].tmp	36
PID 2328 wrote to memory of 2016	2328	PDFCreator-1_7_1_setup [1].tmp	36
PID 2328 wrote to memory of 2016	2328	PDFCreator-1_7_1_setup [1].tmp	36
PID 2328 wrote to memory of 2452	2328	PDFCreator-1_7_1_setup [1].tmp	38

C:\Users\Admin\AppData\Local\Temp\PDFCreator-1_7_1_setup [1].exe
"C:\Users\Admin\AppData\Local\Temp\PDFCreator-1_7_1_setup [1].exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\is-HQ8NE.tmp\PDFCreator-1_7_1_setup [1].tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HQ8NE.tmp\PDFCreator-1_7_1_setup [1].tmp" /SL5="$400F8,17272099,56832,C:\Users\Admin\AppData\Local\Temp\PDFCreator-1_7_1_setup [1].exe"
  2⤵
  - Registers new Print Monitor
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\DownloadUpdateInfo.exe
    "C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\DownloadUpdateInfo.exe" /verysilent /URL=http://update.pdfforge.org/pdfcreator/update-info.txt /Filename="C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\update-info.txt" /TimeOut=7000
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\is-ULUSE.tmp\DownloadUpdateInfo.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ULUSE.tmp\DownloadUpdateInfo.tmp" /SL5="$401A6,262148,56832,C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\DownloadUpdateInfo.exe" /verysilent /URL=http://update.pdfforge.org/pdfcreator/update-info.txt /Filename="C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\update-info.txt" /TimeOut=7000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2736
- - C:\Windows\SysWOW64\RunDll32.exe
    RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\OCSetupHlp.dll",_OCPRD68OpenCandy2@16 2328,C07A298D3FF64CF6BAA8E145179BA03C,21921E92AF604049BE771B1D962B4C5F
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2484
- - C:\Windows\SysWOW64\RunDll32.exe
    RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\OCSetupHlp.dll",_OCPRD68OpenCandy2@16 2328,E86105CDB7F345A1A66973B11A49F45A,78A37CE5D5F94472A12BACA00C8BC6C4
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2872
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MSVBVM60.DLL"
    3⤵
    - Modifies registry class
    PID:1324
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MSCOMCT2.OCX"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1408
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MSCOMCTL.OCX"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1576
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MSMAPI32.OCX"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2016
- - C:\Program Files (x86)\PDFCreator\PDFCreator.exe
    "C:\Program Files (x86)\PDFCreator\PDFCreator.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2452
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Program Files (x86)\PDFCreator\PlugIns\pdfforge\pdfforge.dll" /codebase
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    - Modifies system certificate store
    PID:1220
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\PDFArchitect_latest_setup.msi" /quiet CREATE_DESKTOP_SHORTCUT=1 APPLICATION_LANGUAGE=0 ADDLOCAL=MainProgram,EnglishDocumentation,FrenchDocumentation,GermanDocumentation,ItalianDocumentation,PortugalDocumentation,SpanishDocumentation,RussianDocumentation,IntegrFirefox,IntegrIE,Inregr2007Excel,Inregr2007Outlok,Inregr2007PowerPoint,Previewer,Inregr2007Publisher,Inregr2007Word,IntegrShell
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\InstallCheck.exe
    "C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\InstallCheck.exe" /verysilent /p=1 /v=1.7.1 /ud=0 /lc=en /b=6 /d=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\is-IRPMR.tmp\InstallCheck.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-IRPMR.tmp\InstallCheck.tmp" /SL5="$20202,56832,56832,C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\InstallCheck.exe" /verysilent /p=1 /v=1.7.1 /ud=0 /lc=en /b=6 /d=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3032
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.pdfforge.org/pdfcreator/welcome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1668
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Program Files (x86)\PDFCreator\PDFCreator.exe
"C:\Program Files (x86)\PDFCreator\PDFCreator.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PDFCreator\Languages\english.ini

Filesize
33KB

MD5
6d1caf5ea887b6b0812a6ec85028bcec

SHA1
c4913ac29bcf556e36236a14fc93adb0c688b316

SHA256
eac6117268903fb57236219891768bc8ec7ebcaf0b77da012056b76aa707d24d

SHA512
28071bd83c427841ecbd73557537b5ef4b128b8a98f09827a6bc7203ac39fddc001eb4fdbf29cdde6189bce8c3b58c3627269be9ae31d46a1261803bc7cb366b

Download Submit
C:\Program Files (x86)\PDFCreator\PlugIns\pdfforge\FairPlay License.txt

Filesize
1KB

MD5
3734fcfa65c155ec05f1ec4b054a43cb

SHA1
b73cb0953b30beb656ee8f6383002bcb546a217f

SHA256
8d03e1728f68a4e2c1b3b50008b86ff09ca24f3af38d642364e83173efc44136

SHA512
8ee9be3ba2dad9846b605c0c30f5264038d3646c80cbb4b27fdf510766be87894c505193a6c1a2754dd7de28e6390a4f397b190ed55b37e392a3a2e6ada52b2f

Download Submit
C:\Program Files (x86)\PDFCreator\PlugIns\pdfforge\pdfforge.dll

Filesize
74KB

MD5
549e875667c289692fbc980adee27273

SHA1
f38fa40887dfc311c6e31c23b57325b5daab3e4f

SHA256
51b51bbb4ded2d3eea4f1096506c45310c2703cf9ca7029303d38dae7ac7f0e5

SHA512
e843cf45419c2cb4bb1d6d7f20e365724e090dd0a651285dc7fe5412b3006e9c8215e9485b7619724bef5c7e529bd218d2f494dedee957d63b653e5e454e2584

Download Submit
C:\Program Files (x86)\PDFCreator\SetupLog.txt

Filesize
2KB

MD5
f8326d9f855e7b60e046f80aa4e350cf

SHA1
cd1c3f7b2b3853a09945d8db5ddb1c56a0c57ffc

SHA256
af451876e39dcd2870ef549588d9c8515af27f45b0a2265f42711481a79afb71

SHA512
674afb7bb4bca95c9631d4aaeff1faa1ff5a72c12e1a834407546a5d923e080ebbe79b1d43339661c9bd19b6e2101f816d305afde562ee651bb0692a218e8a95

Download Submit
C:\Program Files (x86)\PDFCreator\SetupLog.txt

Filesize
2KB

MD5
5592109fb4aa1dc32bd73f33569c0b31

SHA1
51a18f401656932bbf840dcbca333ed27c596fc0

SHA256
b1efa959d62ffe2f6c72c1f2ae6625f2bc461b12b040a78af34ae8d052df6697

SHA512
6c2a2ecb338e7114ba5ce5e14c5e1ce6b00aeffb17fa15d6a8f6be6cdb4af1f2c238a7d3ef604f5bc983a80a47f0d5b26a38512d0ba28ed6cfaa1c287cd36139

Download Submit
C:\Program Files (x86)\PDFCreator\SetupLog.txt

Filesize
2KB

MD5
a6c97a1b2587d1bee05e9628a364d69b

SHA1
2d2537fddeab6e75a61c9b63b172447f71303600

SHA256
e47953aaf27c61a5631da1db58949e4194f3a1fecfb2989edec337ecfe772043

SHA512
335013ebc615c1931ee5ebcdecfe41b35f69a67088b56d184a62d389c65d5827fc000e8b2ed98e8beeed43b4e285752a41ea4c3127a0aec1fb39be028742779a

Download Submit
C:\Program Files (x86)\PDFCreator\SetupLog.txt

Filesize
3KB

MD5
fd425fb913a81a90f75d2d3e4e13e05b

SHA1
c1d625043c9fbb2ef8c0bfc5fce7a49dac688a2e

SHA256
8e6738a5d50bae367bb6a6c108cd264fdf8ac38660ca4eeae06c0365f700ee47

SHA512
bc67bce463d44d1d9f7200814f400a5b95287b90f81db0dec9b5c6f880719338e4af58e4c6cb189e3f902646a02a003e92bee4fc06fd403da9825cb0bda8ac9e

Download Submit
C:\Program Files (x86)\PDFCreator\SetupLog.txt

Filesize
4KB

MD5
ef6a7aaf3c93fc2a2e132f696fbd3d65

SHA1
ca22b2dd58a44a0ac20f59c0e7a25cf7deed7b48

SHA256
ccfa0c3049353ce45e2da3d5a6d1a8c6ccc7976cc0f775635ec9f6c7876cbbc6

SHA512
44770c77feb5269ef7478de11433c5831542d44d23925b4f5b8fd7abef9cad9e125cd8b3ebce9024ccad45e1effa2082a505cd29cd065264ccb71088b1072bc6

Download Submit
C:\Program Files (x86)\PDFCreator\SetupLog.txt

Filesize
1KB

MD5
923e46aee3dceec23ec31ec2ad52a9be

SHA1
65a83ddf4377766f1c90529202e1fbc7e6ab89b1

SHA256
c8e887d5b3bddaa935498c4a7ac2fc313193e4143043af1b47162f7022fec93e

SHA512
c33f8f32d60898f74fa46ed40f2a6dd3c883559d5483fff76df3e772b05d48b3d0cea0895c8a5280aa365871a84f78b2f8c5c7936a2dbaf65c26d7587e462bef

Download Submit
C:\Program Files (x86)\PDFCreator\SetupLog.txt

Filesize
1KB

MD5
012e410fa437e9752cd5eae8c994a054

SHA1
8100e3e06ed1cc6bd256a07b3e690353c0e8b1af

SHA256
18864a518e7a853913237b991ab754d5e509c5593d062eab00f66eb5fb6b5421

SHA512
8078382e9f86c5ca4a6384db223173dbbf253df97025b059518371ff678fea74a11e3d47b19fad6bbacea37fb2539cbd46e28179423f448b0885603472237bfa

Download Submit
C:\Program Files (x86)\PDFCreator\SetupLog.txt

Filesize
1KB

MD5
72ee79888fee12cac50e941211faf20f

SHA1
623ac67e216c7d1135baa0e911297ec660aa1140

SHA256
b3cac7061a03305a92467f0b228aabb98b823a3e0b1601aa87e3540406c5db2b

SHA512
4557ec243179560442e9b65d30b2154aa7aa46b071833e7aac154e9e6be5dcbd65b843a587525311ec71f24ea736cb4d53b18dbef2f88af01a8339d569bda9ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e7cd1886f1017f34bd44cf39359e80d9

SHA1
83bf99c836a182d6cac2d6a58544b417ee3059a5

SHA256
675de3870b944bd876f685736f9e683ae18651f9047548f1eca58098b0b02118

SHA512
112ac6bfc4fb41ffd7e4f4fe82af387c6b6ed482f8c30142f4bb534878fc1e8cdf56fe5b84f27f6cdedc77f2e66787e73c4facdecb8ebc851fe46f4ac3ae3c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d00f2b8261f87a7606877396a20e9d15

SHA1
e4f16bd0dcc2d0f3447702a1a1c5928ec31642e4

SHA256
113f6a2357160e39a4bd7f0714bbb10b81e400a103a78b09486ccb77a4c6fcf1

SHA512
7187787c0d3aa47ed7ca8fe7923daaacb2602d1b71e829dc386168c120d769dffebed776e8739bad8b191c8eb7eb05c249b4d39487f255881532ef68b9d40a69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9223152a9e782dca042ff95db74dfb1

SHA1
154cc744e5c7ed9d5c0d9f6f0a2ed1499ebe9f0e

SHA256
c0733d60288890d65e608e34657059a432d10df27d5fba4f25fc4156a0e4ae3c

SHA512
2ca51e65e1bb837af1f58909a1973a13913820619be6266181d12d2d450f2588a979d3ade939419dc942ee1203a84bfe06f28cf098239c7e8682eda2854e22d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66949714090f2983558d1a0fd61c8d7a

SHA1
29c86ad3b6a09316f8c71843b851f51aa532019e

SHA256
76b96632afd2603171029ab813c48b3d81d96ceabefe44a18d75af28ba1c0c00

SHA512
5ab9896bcb2e42af24f98638a70b820aca3a0719d57e097248d4615d1ea13040b13acc288c7d4e1b62e30b495770583cecb31ed425683090306d3d312baa99bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f99ab69428624c1dbd20e28831fcbc7e

SHA1
ab8f0adcf68a7adc54581a2b852b782780825255

SHA256
7d8fef92591f365d2f7937f177e2985dffd13c08b4cb06f643333ed5e04e5d29

SHA512
407602a31f2d9405f65c93ed9e560c3eb2957abe622f29220da67f361611b9ada97c6a3abc0223a504c876d3bce58d3f9a0a0785db05f8b9a8cf41cd06af66ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55e64e5296734cf9636f4730fa038d2d

SHA1
a5f187e0788653f28590e4ab4294281a11f5a0bc

SHA256
0803135019829d386a002427855ebe992c7dc4972686d66f4b98185cb5abe3fd

SHA512
c3d0e8b786803d5f64d3d539e71d772a8925f909ad12407f7c2bec220536f4c014a937ea80a9c2b5be36c92fae90a3940f5f57212f3304f42f24c895c03e4659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b0b4f00a64e93bbc329c2be5491e6a7

SHA1
de0df249ac3fbf4487391f53b419561bfae7ffb0

SHA256
d727f5d0c7851771fbe2fe373aba451f404feebb463b6b278dddddc6f6a89c5f

SHA512
7501ed77b23bf5f7bdbaa3ec777a9dcd8f49c8e466cf557db03e6ccd8ada9e391d3ca891524eed5653fcc85dae7fbb3586d2f96bb07ace405b00649e4f33ca50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0fc4cff3d39c12b7a593619be3c02467

SHA1
0cc01ae20edd8d603d3ab0de1fccdfe57172f351

SHA256
eb4b41a4d596d74804c2648348ce1e2be0ba618ca79bdb6b062c942b7794771f

SHA512
020ad03d03b498eaf5412ad4560a1459c1dcbfe502a4e6b45e74451cd9cdeed5010c9a35cd2e45442071db56bbc71cfbd47b4d6f8baf0ce4e011e8179be8dd68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34d25df59719ec6594121073558263bc

SHA1
6ed75f0bdc039155e8ebf514d843d631b65a8841

SHA256
93054f5629e0f21b1a31458f579b4e0cd2b0037c5d6d05bfd4fc7caf3e3c6537

SHA512
677daf7473538af19e11402fbcedd2e11b50253303005aa0027f5e105dbe1eb1bd4c7802a3ed952f0cfacf218dc54bdd26de9ab063e106b943815dc9c83e928f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f44eb8222d5940a92a4a81e3720e08de

SHA1
a4ce60768eb3e050ade6cd3a49561603c15df99d

SHA256
d694262b475ac24d04b54d79bb6daaccf5bc44d18ddbef54655a46b1be2d2cb5

SHA512
51d93f85946619934df3b4e627cde4a90611175e8081465b71884b76511c74d1c077916923fe07d15c661b7a2bd4875352e9d9f9000dc470266e772985f6e15d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffeff0db9d45026bc5792e7872775c40

SHA1
41164bc400bcede38555264cca257e4847a033a2

SHA256
921e1e7bae6813ae55812fda6f33a4bcf1bed8f14e1c7ac33ba759f0ca1a4a1d

SHA512
d8818545436fbb0720907b252ee4328989bade84875ba0ba8eb10d99b60d7daa04deb208a440d8f83e371c6d069c75fe3ee853d0f6285b1b3025eb9175494285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e53c5c27cb6f2e19bb6c4454b934a64

SHA1
4d20e991e4c78578c813c2b1b058e428a6e3ad7f

SHA256
92f30afe167f4073b560baae6d37a194f8d0ffa28b744b58ae9b729b25631117

SHA512
53668cc9b4c28255d1911b682c3aa76f6ae739fbfd098bb50b24a3d83a5a0b10c6dbbbe940edc5f3967f938bb5b9f24a05e39d5aebc2f65ce6f71bb3a9914252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca07aea7481f7aea68ab8fff56c874e6

SHA1
e1615d534d42b5e986ac7825c044791edd1b4541

SHA256
a32dc853bf87c62b1b2ebdb6253408a1393a01927930dcc0b5b6cda40eee05a0

SHA512
f530ce2ef94cdc14d2645f01a7f17468cb95e5a8e485cb75b0cd0f52f7c3e4397650cccbc516a9f3b59d3c9076c48aca89344fae430f586701d10eab4e5471ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8ba47515b64b3ef61be0b3c9af0c777d

SHA1
d26588ed2ff09f0d5a2ee4b95c392d79daef0f54

SHA256
d27bc695f787368b7398a344dd089fe094b28e9c3a918a8cec61db7976ef4208

SHA512
9b1fd58f71dfb145f3680a039bca73f0c41bf03053d49b74e972d4106af7ba43860b17ea7807fc8395b279906109c8b463542ba94e1765db78172bd4f49a6ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA192.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\PDFArchitectAd1_english.bmp

Filesize
123KB

MD5
ebd5aedf84bada7df017f3d112d16aec

SHA1
f42f705ae59d1d6eeecc0ce7875151c410746e5c

SHA256
bd1c1e0f09961b063143cc13c1e1fda72b9474d2bf9e5b1e94ea09d6a228b118

SHA512
d53f068db77eabda54dc0034e52aef727ccfad2ecd5e6f56725bb31a3bce0d9627150eff4798d6f7f3c82f5213a8be9550b988e95a36f684522ff89d8521a08f

Download Submit
C:\Windows\SysWOW64\MSCOMCTL.OCX

Filesize
1.0MB

MD5
e52859fcb7a827cacfce7963184c7d24

SHA1
35c4ae05d90f610c0520933faaca2a8d39e1b2a1

SHA256
45b6eef5bbf223cf8ff78f5014b68a72f0bc2cceaed030dece0a1abacf88f1f8

SHA512
013e6bf4762b1f90650ee6a1cb275607d1cad9df481362f42606a37f3a6f63de5cd0cdb0e9739df141b58f67ac079cf27be4ffe4937371972dd14eae18c58a94

Download Submit
C:\Windows\SysWOW64\MSMAPI32.OCX

Filesize
133KB

MD5
d329085a88a9019ed5700c0f04b3176e

SHA1
ab504f7cc07889057513f4916248bd4910360090

SHA256
60e841057cbbf33e10c5169cc328330d11838636002670cb9e8a7a09bab321ab

SHA512
badf8a50f78c8cb08538ae47c1fd660baa6dda6276dc355e3141b3a202b5041e9a685241935de597eb93a9caf1ab08099c686ad203ea79d7a37796bef5212b2a

Download Submit
\Program Files (x86)\PDFCreator\GS9.07\gs9.07\Bin\gsdll32.dll

Filesize
10.5MB

MD5
dbd87962936ee1827324fde53e0f4a75

SHA1
7e52bc0c92331664f21cfe9931562331647fcb6f

SHA256
6176723af0db5ff73fd20b452852b53d74dd09727b6af152f961555b0ac9474b

SHA512
0ec9237e80f704a20ce92f4a3eb71dd819dc6b49497570d5b43b1fc4dffcfb27ebf2c061d5d5cb9e4748a24972d1fe0c17708695aead7b526a438e0f84866754

Download Submit
\Program Files (x86)\PDFCreator\Images2PDF\Images2PDF.exe

Filesize
703KB

MD5
4875cdece9c259f78a64d71be18c4b89

SHA1
c510508b86875a758a738dba478afbb9bd88b593

SHA256
347ac49ace6e47b7f5c22ed1ca28d8c7e461b7e5f11f12aa8c7351f49ee00d47

SHA512
5ee6bb171f076d3f3dd89d1a161153cb5add4d6795fc49ec5066185b2ca18f268ffc52c234113d4f5663fa43981ed31c3c91b436b1d7b59626b7acdba3004b25

Download Submit
\Program Files (x86)\PDFCreator\PDFCreator.exe

Filesize
3.0MB

MD5
0b9d7c425042dc3ce6dd418c17e49e62

SHA1
5b55874374c8b930b0e08d46ec7cb63a6d557aaf

SHA256
7c79902533144a0250412ee869cc047903ba430976e66952b9e2fd319e1227ab

SHA512
75c798d1c2d46b752c39515985f7240f95f100120a41476940ffb93d4402cb6c6d40194e917d449049bedf1a511f122ac5e0bcffb9b23c51d660069ea57275c1

Download Submit
\Program Files (x86)\PDFCreator\languages\TransTool.exe

Filesize
608KB

MD5
98abd73afd6f1bedbb1581fbe82615e3

SHA1
5a5c40c4f234fe6c9dd8157a4e47c4b61f3950d1

SHA256
80813b08b3244538780607eb119493898e1c50f726edb8686d2bb09cf77b6228

SHA512
ca12aa9dd98fbac16797bc6d798e4552060bb901ed78446b9a7265cf098d674de3225ab93460791d75e3ec3c2f604cd407ea4311ff721bac87c1b0ebb78866a6

Download Submit
\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\DownloadUpdateInfo.exe

Filesize
501KB

MD5
b63e279da8d345f8d4cfd6ec83cacc90

SHA1
342527cdef8bb1ba44baa3c26ae10d5cb573b3fb

SHA256
00afc88cf2db1260aed13fa928630bea4ac82788e1ae6abd26168349940b77ed

SHA512
320819aedd2b71b4bfb40b9d3d49381de2a99413b89db0ee6429f2c31dd1d7fa0d2a639380bd4faa20556b9818299933429ccd7d2d118ea7f8c2658bd4072115

Download Submit
\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\InstallCheck.exe

Filesize
300KB

MD5
5934c818294eab6be73e0457ab988132

SHA1
3afacf41e08b49fb6743f997220a5d5f455114f9

SHA256
d08f4cd53beffcba6e78b512655ef937e0a47e85a3dbaeb973084bda08435c21

SHA512
12dc791f916467530b976f147152717135d83e022a038eb91157fbbcbfda2da0df6de621c9db3a52157c3f8ee29ce2ae50c0d4c59ee88dbc98ae7123a77eabb5

Download Submit
\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\OCSetupHlp.dll

Filesize
788KB

MD5
ba9e5cf333329a7384ab31452c8f0b2a

SHA1
6dc0348d61f92f224e23f31dcbc4d78003e6f205

SHA256
549ede6c031a255d595b66b5b784a6fccfbe128933a165a2e9a292f5f4fd7068

SHA512
dd2a02b397c0ac92f09f83771ed6b9db482bbcc197e17f5c9c6e6b621364a5032643cbeb53fe7541b38dbfb492407375c94001dff28423272a9e32c2016ae306

Download Submit
\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-G6OV1.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-HQ8NE.tmp\PDFCreator-1_7_1_setup [1].tmp

Filesize
690KB

MD5
a2c4d52c66b4b399facadb8cc8386745

SHA1
c326304c56a52a3e5bfbdce2fef54604a0c653e0

SHA256
6c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a

SHA512
2a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6

Download Submit
\Windows\SysWOW64\MSCOMCT2.OCX

Filesize
646KB

MD5
ae47a8a5fe8193bb84ffcd338115d8ef

SHA1
edbe4b85f000880ebd68239eab29fac3d79f3113

SHA256
160b0cef5e9ed57c024e9b3a278e6456e849daa85d46f2b6d1450bf19fca72dd

SHA512
9dfe5f65825f58e267092fac0c7d359c7bc23ef5ad90f2abb4614e88fdc6adfddfbf7df29aabf519fb8238d5efec27ea1ddc386760d4d841c657226e850d7bc7

Download Submit
\Windows\System32\pdfcmon.dll

Filesize
107KB

MD5
c89b88bca6d6b72a470d8bf5730254c6

SHA1
67a140a48f6c5432f1c3045e4ea70835c8ddfae6

SHA256
cd0a128e84d4318b1cc3d417fcb6beae87d0d7d6660337f67b1cd9c1eb10f7a3

SHA512
df8b33d786dda066c63879f7e75177502a74a451771059180a964e03276d7325704d9fe2d896c73f36933dfe88b23cc2272fee461942b0a2ac8f5d6d8dd25d3b

Download Submit
\Windows\System32\spool\drivers\x64\PS5UI.DLL

Filesize
850KB

MD5
0dd712d968fe4a1044f405523d8e6bc2

SHA1
85ee22fd2c7b4c352a179c0c349839ecc60839be

SHA256
ed765d4ef9e2e8e6043ef68a7a0cbd9e48d92b1f6f9ff552b75339f3855685d0

SHA512
94f22da415f0597ebfcdbbbd7cdd1818f0224043cc3ce08ea38e653575c4315115551bf5680775024de4329f96c50e4e7542388f01fabcac0e8aa471cafbfa1a

Download Submit
\Windows\System32\spool\drivers\x64\PSCRIPT5.DLL

Filesize
630KB

MD5
390024c826c8bd152ea2c1229400e356

SHA1
63446625f4e042e956de3d8c7ac2fec86e50dbe9

SHA256
ac453955595f5d1b1405ff10066cc9e97a861fd17f27032fed86b113acd31bd4

SHA512
8108ea4a7abbb3e284d442ed1df625d7ac00732c9cb8dc9000546471fb6e67009ef180eaf1410949a9739aff040493604d8bab5123cf29ce7070cdc8fb609dad

Download Submit
memory/528-1651-0x00000000069E0000-0x00000000069E2000-memory.dmp

Filesize
8KB

Download
memory/528-1650-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/1220-877-0x0000000072ED0000-0x000000007347B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-944-0x0000000072ED0000-0x000000007347B000-memory.dmp

Filesize
5.7MB

Download
memory/2232-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2232-1192-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2232-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2328-82-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2328-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2328-95-0x0000000003890000-0x0000000003891000-memory.dmp

Filesize
4KB

Download
memory/2328-96-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/2328-97-0x00000000038B0000-0x00000000038B1000-memory.dmp

Filesize
4KB

Download
memory/2328-98-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/2328-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2328-93-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/2328-92-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/2328-91-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2328-90-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2328-17-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2328-51-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2328-52-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2328-94-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/2328-72-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2328-1088-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2328-1087-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2328-89-0x0000000003720000-0x0000000003721000-memory.dmp

Filesize
4KB

Download
memory/2328-88-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/2328-87-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/2328-86-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/2328-85-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2328-84-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2328-1191-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2328-83-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2328-79-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2328-75-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2484-63-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2600-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2600-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2600-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2668-1085-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2668-1065-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2668-1068-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2736-33-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2736-42-0x0000000001EE0000-0x0000000001F1C000-memory.dmp

Filesize
240KB

Download
memory/2736-47-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2872-66-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2872-1011-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3032-1076-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3032-1083-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download