baeb9e1d98c62bb6adf6494b18909ea6eac024d7fa8ebb3aea8eac4e5c1c93c9

Analysis

max time kernel
48s
max time network
50s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 10:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
Size

7.2MB
MD5

482281cf2fa535e4e8eb06413f6de307
SHA1

bd3d451bfb56b02edd3d2d1fea10e29ec94f1a8c
SHA256

600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181
SHA512

59d2ceff3a8577e3845ce748bdb841c8ebec786b418efcad6fe97409559dc313381ab99db0a02ad9efe63bc69bf6c06662b59b2a2a9b43f50c297d00e5634e29
SSDEEP

196608:ZqOAaDOa1iWGHNgJheMwSi6PVpeOZgE0E:ZqOlbRL2+iIZ0E

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2620	PrimDel.exe
2720	PrimInst.exe
2324	PrimoPDF.exe
2096	PrimoPDF.exe

Loads dropped DLL 29 IoCs

pid	Process
1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
1012	RunDll32.exe
1012	RunDll32.exe
1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
328	Process not Found
328	Process not Found
328	Process not Found
328	Process not Found
328	Process not Found
328	Process not Found
328	Process not Found
2720	PrimInst.exe
2720	PrimInst.exe
1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
2096	PrimoPDF.exe
2096	PrimoPDF.exe
2096	PrimoPDF.exe
2096	PrimoPDF.exe
2096	PrimoPDF.exe
2096	PrimoPDF.exe
2324	PrimoPDF.exe
2324	PrimoPDF.exe
2324	PrimoPDF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\Primomonnt.dll	PrimInst.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pscript5.dll	PrimInst.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\pscript5.dll	PrimInst.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\ps5ui.dll	PrimInst.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\primopdf.ppd	PrimInst.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pscript.ntf	PrimInst.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.nl.apdb	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Online_UG.url	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Configuration\_Ebook.ini	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Configuration\_Default.ini	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\de\Primo_Update.resources.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\PSCRIPT.NTF	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.it.apdb	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.apdb	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\nl\Primo_Update.resources.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\fr\Primo_Update.resources.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimInstInfo.txt	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\PrimoPDF.PPD	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoMon\vssver2.scc	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\APDB.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\de\PrimoPDF.resources.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\fr\PrimoPDF.resources.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\it\PrimoPDF.resources.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\uninstaller.exe	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimInst.exe	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\vssver2.scc	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.es.apdb	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\es\PrimoPDF.resources.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.exe	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Primo_Update.exe	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\PS5UI.DLL	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\PSCRIPT5.DLL	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoMon\primomonnt.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.de.apdb	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\nl\PrimoPDF.resources.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\it\Primo_Update.resources.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoRun.exe	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimDel.exe	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\PrimoPDF.BPD	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\PSCRIPT.HLP	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoSet.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.fr.apdb	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\es\Primo_Update.resources.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File opened for modification	C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimInstInfo.txt	PrimInst.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\gsdll32.dll	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File created	C:\Program Files (x86)\Nitro PDF\PrimoPDF\Configuration\_Prepress.ini	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\primopdf.ini	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
File opened for modification	C:\Windows\primopdf.ini	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrimoPDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrimoPDF.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001a4b8-107.dat	nsis_installer_1
behavioral1/files/0x000600000001a4b8-107.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	PrimoPDF.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9BE44181-65EE-11EF-9D58-7EBFE1D0DDB4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9BE44183-65EE-11EF-9D58-7EBFE1D0DDB4}.dat = "0"	iexplore.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	PrimoPDF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PrimoPDF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PrimoPDF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PrimoPDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	PrimoPDF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	PrimoPDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	PrimoPDF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	PrimoPDF.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1012	RunDll32.exe
1012	RunDll32.exe
1012	RunDll32.exe
1012	RunDll32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeTcbPrivilege	2096	PrimoPDF.exe
Token: SeAssignPrimaryTokenPrivilege	2096	PrimoPDF.exe
Token: SeIncreaseQuotaPrivilege	2096	PrimoPDF.exe
Token: SeTcbPrivilege	2324	PrimoPDF.exe
Token: SeAssignPrimaryTokenPrivilege	2324	PrimoPDF.exe
Token: SeIncreaseQuotaPrivilege	2324	PrimoPDF.exe
Token: SeDebugPrivilege	2096	PrimoPDF.exe
Token: 33	2096	PrimoPDF.exe
Token: SeIncBasePriorityPrivilege	2096	PrimoPDF.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1852	iexplore.exe
2096	PrimoPDF.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1852	iexplore.exe
1852	iexplore.exe
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2096	PrimoPDF.exe
2096	PrimoPDF.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1012	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	30
PID 1244 wrote to memory of 1012	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	30
PID 1244 wrote to memory of 1012	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	30
PID 1244 wrote to memory of 1012	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	30
PID 1244 wrote to memory of 1012	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	30
PID 1244 wrote to memory of 1012	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	30
PID 1244 wrote to memory of 1012	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	30
PID 1244 wrote to memory of 2620	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	32
PID 1244 wrote to memory of 2620	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	32
PID 1244 wrote to memory of 2620	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	32
PID 1244 wrote to memory of 2620	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	32
PID 1244 wrote to memory of 2720	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	33
PID 1244 wrote to memory of 2720	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	33
PID 1244 wrote to memory of 2720	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	33
PID 1244 wrote to memory of 2720	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	33
PID 1244 wrote to memory of 1852	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	34
PID 1244 wrote to memory of 1852	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	34
PID 1244 wrote to memory of 1852	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	34
PID 1244 wrote to memory of 1852	1244	600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe	34
PID 1852 wrote to memory of 2876	1852	iexplore.exe	35
PID 1852 wrote to memory of 2876	1852	iexplore.exe	35
PID 1852 wrote to memory of 2876	1852	iexplore.exe	35
PID 1852 wrote to memory of 2876	1852	iexplore.exe	35
PID 2096 wrote to memory of 2568	2096	PrimoPDF.exe	39
PID 2096 wrote to memory of 2568	2096	PrimoPDF.exe	39
PID 2096 wrote to memory of 2568	2096	PrimoPDF.exe	39
PID 2096 wrote to memory of 2568	2096	PrimoPDF.exe	39
PID 2568 wrote to memory of 2556	2568	csc.exe	41
PID 2568 wrote to memory of 2556	2568	csc.exe	41
PID 2568 wrote to memory of 2556	2568	csc.exe	41
PID 2568 wrote to memory of 2556	2568	csc.exe	41

C:\Users\Admin\AppData\Local\Temp\600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe
"C:\Users\Admin\AppData\Local\Temp\600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\OCSetupHlp.dll",_OCPRD38RunOpenCandyDLL@16 1244
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimDel.exe
  "C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimDel.exe"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimInst.exe
  "C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimInst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:2720
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.nitropdf.com/services/LinkRedirector.aspx?lr_prod=Primo&lr_name=welcome&lr_loc=en-US&lr_src=primo&name=&email=&company=&language=1033
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2876

C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.exe
"C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.exe
"C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gd8majso.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES205.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC204.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\primopdf.ppd

Filesize
19KB

MD5
f009ebf61b4bcb39756b190e30ed21c4

SHA1
4bac758e67f745cf7d1b021b5e636258a979f69d

SHA256
1b582c3ff9fb05477f61f5aeec2d7f3c02e2247a5693b787d6d4a7395727f660

SHA512
ac69fe06c70bf2a419583955136392a0dee4d00044bcfae090379117524c071c1382f2663a3d2256b14e8b8144ece6b5778a71756c8daefcfb425c3616d2d0b8

Download Submit
C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\ps5ui.dll

Filesize
236KB

MD5
68208e1d38169337c165a95b828e9111

SHA1
af4cfe044b7a8cd5351186fef66e11c364b03c90

SHA256
f33d56a9b6d69b2ce34aad9359f91e08d22721a4657ccbe88b147543045603bf

SHA512
b18189f2d488eb6dcaaedbeb6b50ae9290475b3a41093f539511448decb1f0302fec63a09a2ae72f399b2a5ba0291754ec957c70e1fed6ad0bf36a00e412c5eb

Download Submit
C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\pscript.ntf

Filesize
1.0MB

MD5
e45e03bdfbddcee4b6d62bc922ef24e7

SHA1
1873ec050afe6275e95df8b6a1a43098dccb9f25

SHA256
3eb48a31bb8bfb34534ff6e251e9b97e29e8b8e3a4eaf6c929b026caced3498c

SHA512
0dd54c060ca8b2fb676a14488dfeb30de9b0458a23aeb632c1bc4de54fc6b8066c86450a896726f04ca74bcecec03fac15c69a81ed17215b53501da57607f915

Download Submit
C:\Program Files (x86)\Nitro PDF\PrimoPDF\Drivers\pscript5.dll

Filesize
720KB

MD5
b0fde6dd7fbed18eb3464a621ae8ee5c

SHA1
1821b681455826f8a501df1b5abedfc52f9b7e8f

SHA256
5e49e3cc7917abc25d6c8eb09e5ea8fd3e6809393e3ae2f35254f80253147876

SHA512
f97a62d66c6c04b4cf11ed62e5e3ace074bffcc71b64a273efa699c045045af63889c656f09f0b7878c9f98da6ffebed01675890f9c0c70e80ba0345b490257d

Download Submit
C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimInst.exe

Filesize
177KB

MD5
7eb4f230aec0fbf5388b56357ac652ac

SHA1
12199515cbd88780ff1f47b690247a08eb23636a

SHA256
5c003c78ad1963f9eab28756f54a015aa6b25dc65c01046532d24c98b9b01dc3

SHA512
16597bd8acd9b1034970be8e712a49803682fa184aafb807d1344707cf6840d8281a8b60101386677931ada5e83b0172e9fb8bd22033b6e0d74f84618dc1e453

Download Submit
C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoMon\Primomonnt.dll

Filesize
92KB

MD5
962874341190719614fc9b37d5de71f8

SHA1
77ad30b59b8bcb079057d7d27a63f94eb0a27445

SHA256
0bc791b452509746f6948fe0819486692507accc5341e5f686e43c6a9332c76d

SHA512
d25e94f44727ea1c4597888953639af5802ee8c52560a3ca402e391f1fd571047315fd37fcec53bd96ef71b66baf348661f95c54548ea5ec7d72a235195e3434

Download Submit
C:\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.es.apdb

Filesize
32KB

MD5
41a1364c9f5737adcedaa58987a14696

SHA1
327b774b1768615936f29f80160f2383f49239eb

SHA256
420edc21ada1fd3e1f25bfe5df5216fa86c610bd24258127a68fc7dd212095e4

SHA512
e4c8b595e8a455055fd7991d1ec390ca749674ee3d1932c32fd8c5a650b0853d74e9d0e30110f2d59d1c5a3a2817ad9440455faf9180b50a4723b295bc14250c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70

Filesize
74KB

MD5
dabf68a1c5d3ce6805c8dfc7a5e673ba

SHA1
5424cd9f728154b17cbcf27e471b715fd217bbff

SHA256
c620dab1153ad348692fde31712010aaee2f21a75a2f911e84206de0d91b5eb0

SHA512
9cda0d522f6ce02d18c831a50b830238c04d98dba1f3492abcd6c64cc83ba1f6507771c936f4f086caa6245fb0dde46332d7b79da4df1a0f9842b532178e9e48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_EA3B1A308505FF38C7831F743238663E

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7390d9b3cd4ec58a7ebe015149541bee

SHA1
0e57a062ed692f24b77c4fc10532074169142c1c

SHA256
9850b0640929d24cb53140412c568edf426cffa8fc04609793138b257fc67e0d

SHA512
e6760b1f6ba5e3dc0e6f222ad680607a1f07962426774dc449bb56b6e01c401a765b45a8d2b76a9ab0a4622a22ac14023ff914b335c5ca64ae08a551363f01af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4d9997f29859620be212adec69bf715

SHA1
c48af697adb35aded0a19f26f2a62a822047af6c

SHA256
8c21afbe7418fd0a2f0b6f05ca8be3a0692ff2e3f5280e693fad93e94656af53

SHA512
3a67c793dcd621f8a019c76f1b708545bd509d152c4e10cdbf07560f3cc00188eb07dd5640315baf9db9ea88a2025bb1fc838c04f3a9d17d519e856940aa855b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5868bb75591f638742d726fd22f7767f

SHA1
d7cb75c037377cb8e4b7ef4e2a816c4e981c2eff

SHA256
9def33db01c4ace4f4bb227adeafb5f66c0204e8d3b2456cca0113c2aa53f38f

SHA512
d701276f636ec8d4d407c5b7c84c6d0974bde96d9c57e3809a799ac48672d4ee1f9ef7155e8e9fc3fbf2daa57ab672a35592c1cbdcdbec8f4915947625f0d783

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cff9cf25a852d7fd280b120db6999a2

SHA1
631298e8d9d2ba927d38033b17b278f60880ef0b

SHA256
ccfd0079b8710808f3df2dbdd9db08df8f1f3fc9748e52ba8fd0e6a5dca55cff

SHA512
59053d75eef55b4d40ce0388782d43e9293be6058e9d1e1a688dc738de549aae7f273730bf33de67b4b0dbfffa573dd9ce73d6cd40c474f4fd3fe5de3657458c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70

Filesize
302B

MD5
c0591873ff63c613b8abb2bedeaba225

SHA1
e68ec932085b358260685fbdf2e0bc5980952c76

SHA256
6cec1e5da93ea4b320bf3831ca728e5b941b7b20abee2a51d871ed5f9ef5365d

SHA512
de052dd70096371e7a18bbe9d7c1e0408c98b2e285563a1e72b016bd8e866dc6087cc2daed428aac9ee0b082ff8b6fddf7efdb14507959b355428a2ac63cbc8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_EA3B1A308505FF38C7831F743238663E

Filesize
404B

MD5
f6a3ffe37e62b976a6de9f947eff0f6d

SHA1
37aa052a2904a37252e8555160df59394f99508b

SHA256
5b152b6eecb00e5b31cf4d7c2408da5f127353a21c0dec372e2e4cc933fef8ea

SHA512
858c4e787314f358f3b1c8efae520eecb464cd0aa5a3e030322b353b7b551936ac948404f9991b53f4ac2db58d5c862b95e0e3be81f4c3b7ca313f287bbb3112

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED3D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES205.tmp

Filesize
1KB

MD5
c8aea0eded8621572118e7007a2f1cf6

SHA1
e470d5a63943722cdcce08524c9fe53cdb1f12f5

SHA256
79510529953f4769e6f069f0dc0026ddb6b833eb9103c2357f4b21c28d83d6d2

SHA512
05d98606bb6f7f2820ec63068d2cbd56bb5967c631484a6d9859c0fcf91e5bebc51b50a9515131d4535d93a8c105966bd362f775c9e8316ba075635fcdce731b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE0A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gd8majso.dll

Filesize
32KB

MD5
06c11be216824ddf9eae6c7402d2fa3b

SHA1
234176673cd6f57b942e01f8777d32d2ef8d82f5

SHA256
656d93f5551209c0d370c7fff6ef4eada341220d0f5b38d01a21963057e5d3b8

SHA512
55944ea9595e3e8497e586c38beb8b472305dd57d9c6d6d30c479a8e9413acdf54d92806eee0f9bdab81b57c68ba6362889db2539eef9d25c5a08f82db777f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3f830f63757d9a4b1c98f0a0b9ca53a4

SHA1
fc90eaeced003c9f83db77200c52ed7592eddf1e

SHA256
65dcd2f65b0ee6b9f2c8ace2461e3ff2968d5b2a606ffa8d3f2244286c86c12e

SHA512
ff164dff1b8e085bb837bd838a523e3bd8e299be3b833579e1bde7b0bc28e225a8b70bd0e9c4fb2aef9174c7e1da8bd0f96c7177c63f92f2ee62b16cfcb3d41a

Download Submit
C:\Users\Admin\Desktop\OpenStep.rle

Filesize
234KB

MD5
df7e530667274ece23b439f1c98985e5

SHA1
ea82eaf703817f08f82c7587f68e7b3e1d5d9abc

SHA256
6aae4415164e280417269c58e14c9b479c036e9c1ef51b5d2088551a1f199895

SHA512
180fa287eeffdf848eb4afbbb76d4eaf096b1a7e8aa64ed1c10a023c9fbd70b4623f5dc953870f2933c0b2058fbad7cfd5df8fa9ba7ab84ec373e7b72d4c09d7

Download Submit
C:\Users\Admin\Desktop\PingJoin.cr2

Filesize
106KB

MD5
65a5342773adeeb3743172ff48d868bd

SHA1
df2b72810295a601ac82fb35bb61bdfc10d81756

SHA256
b942b7336e7f7bb8172060a200eedebbc37a2e2d9df48249afd156c58191042a

SHA512
00f4af4305095c96d5e4c5db71b4493661ab24d22f67684ca3b61e42d86806c327af3ea429ccf52d797d08707c02ad2ac4d1e73513de4868678151d285672ede

Download Submit
C:\Users\Admin\Desktop\ProtectPublish.asf

Filesize
173KB

MD5
525229dfe02bb90bcb9786afd581b2ca

SHA1
161efece82a624083e5a6d1ecd509e9b2b15a1db

SHA256
a19d03105dc3a4045b01e877804dd64a3585bf6e4b49b04a06451e006973cb85

SHA512
0f8b01301b71b63f15f6662c39e6e7cd370b0efb6bc2ab798184704e0142065ba7b5e3508fe23b4611f44890a39efe4f42907ec1342631137ee97cd32f9f2281

Download Submit
C:\Users\Admin\Desktop\SetGet.csv

Filesize
185KB

MD5
065b7bc8629a384d496bbcee63a067fc

SHA1
2128ae613ce261e326698f1fc4053129873baa47

SHA256
015ba757846e32c369c13f0415408c0483477979680a73c4b7a5600801bbc8f3

SHA512
4d602d62aa0291fa0eb0eed3da5ee9d89d7c89c403c8fb0a63306a62a88c15199101bb4e5a2c154a44e29823ea9017bac8febcce1a568c6c5d43a04a275e7422

Download Submit
C:\Users\Admin\Desktop\UnlockFind.docx

Filesize
13KB

MD5
d5dfb1a60d1139b331aa836d69e41383

SHA1
4f7e14dab783e350725a08e3925adbb8f2d1c75a

SHA256
c40393dff56494fa302977655f6f3110030c26749cb393326f048332c6938ae0

SHA512
eeae5cad50193b82e3a407d5bf8ae80e82f5e2545f382820f6a3129d0ba5d2602d6e4760ab7e1e2f617de2102a035649b67f5f9f20f24d255a4917b3848bd6eb

Download Submit
C:\Users\Admin\Desktop\UseResolve.rtf

Filesize
94KB

MD5
53e79204c7bb7aa5dcaf76f392ccce26

SHA1
c4a282c7800b6a0f2ec4351cc2a14cecd9a485c9

SHA256
1d5b6406f04e698fd52d074dc7a7e2a1e06818b070f24e4761959b6b884ce7b0

SHA512
eb443452d6a8610cf99b1a389292bcd3e4d3fe638dcd5d5f48c09a08824e94d776286d748edfb0b45476ea9df30f7f4c0f20d2f159d66abc6f12b1e7794b84f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC204.tmp

Filesize
652B

MD5
01066667e0fe2a09b0449f3cedf7a7ae

SHA1
55b1e0eab003196e1a4368a17ce6d53ea7d30a76

SHA256
f1db433c03b4f1b1a4c3ba93663dc66db577ec67914276907d564fdebfa3e066

SHA512
5cbf451dbfa341740d3b284b468302f888e3080d069eef57c762eaa86d0d0440f35730734315ab245c6fd2f11c5cb7f797b3e9791fa580423f0845d1f9484d02

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gd8majso.0.cs

Filesize
43KB

MD5
0d8398095a57e4c9baddd92ad80d533b

SHA1
21293fa146a8c0c5676fb6304186a58df69dbd1e

SHA256
e3e85f8c88756397b10f030cdfa343d98e833847e2682fe8170de3d70dffc4e9

SHA512
ef5d1a6eff5cab2a6e107fb4cee1ce34a77af42a38d75d391771ab6fd33a565a5dbe27ef046b55565403fd5d9c696ba6afea8dd4eea5e13c4c1a7d5a1d9b322d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gd8majso.cmdline

Filesize
589B

MD5
a4693f5985ee04e36f99e71e61512fb7

SHA1
0caccb0d829a67b4765927268a343ef0a26e39aa

SHA256
a7cd503c4ce36c4b2382658d235a25efc4ea1037df738a110201327a9051416a

SHA512
e7898bda95defec1f60467b61afde48303746db0407db52d09dce156cc38d04721e36ce116ab09f998f68627b58bc9dd4153371e0b878b894efdf255eeeddfe4

Download Submit
\Program Files (x86)\Nitro PDF\PrimoPDF\APDB.dll

Filesize
20KB

MD5
7d4ada00170b1b6be2484f84f5b7beab

SHA1
22ca2778f80870c9ae1616d7d401acfc5d29be77

SHA256
0c2210f3e68c5c90bad2fcaa9bb9e00483bc43a81e5f6be29bd7e3610e629cd1

SHA512
89f2d085e4d135f37546fc15debd99bf0f890d5a35520be69ea6e5409594b11b6381240338d7132688f5dd797ee59d141fc20ac0b3ec02a4a728fcaba8418dc0

Download Submit
\Program Files (x86)\Nitro PDF\PrimoPDF\PrimDel.exe

Filesize
46KB

MD5
ae056378506ca73f05c7672751a4a1a6

SHA1
6cd4e9178320ca3d224452e8999e8abca5cbc416

SHA256
f3f016084b73b841808f3b061a30f456c55e2fd473a19cda1b33df3083b82aaf

SHA512
32201ffcfd2ee9b0a117232b7ada2f57e570196752aa7a40b1f39926ccedbb03f9b1ba01345fa7ccd0a613b40dce7461d181b30abd38023d665289f1f369d80a

Download Submit
\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoPDF.exe

Filesize
1.3MB

MD5
eaaf382fd0d1ba601909e5bd5a96f9b0

SHA1
7b9a2e41987ee4c7de1e510f062a8e5be8c3a6e1

SHA256
830692a373baaec1d5ee70131d10712357acfccdb6074879cb79b6bf67220783

SHA512
f3b9543175f3ff084d52ce9a514c38297b73e88a82f56726edc26d109216b1a5bc04554bcf0fa229b3ab4204f66f7febc4dca5ca76a038a5f070039e5378def8

Download Submit
\Program Files (x86)\Nitro PDF\PrimoPDF\PrimoSet.dll

Filesize
63KB

MD5
6543569dd0510a4a668e0af04096adcd

SHA1
1997c1d7843599011f0f583a030a6cb9cde0960d

SHA256
c3c310f6e6a0e6369b0f9074d73f4beefe073dfaad4fe5c2c27f12701e3e3d6f

SHA512
563eb39b445713394f3a6d10e0818c1bc1cad7e563373e497e0c5b0dd29f1d8a749be649c3b89828a0366dcc6207ed04a3cab2de99ceb4b11fe864ad12b053e8

Download Submit
\Program Files (x86)\Nitro PDF\PrimoPDF\uninstaller.exe

Filesize
145KB

MD5
a37098dc0dd5644a39d36844aecbc6ed

SHA1
1111a0cd54ac9531aa24505ae2668a741d0ef002

SHA256
2c6438557a17c1c91186413541d8dcf35d924450417b4eaa0b8740ee160234c7

SHA512
b6cbc147ea8e80e76bf1b21810e9480c64d89216015ae627f487e65c1d51e5fc7e067e2d8a7903d6ae2101cbf8cab02f13baade51dbde96be3d7d79f82e72307

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\OCSetupHlp.dll

Filesize
750KB

MD5
2b2f63f24b1dbad4eaaf5d41f4843857

SHA1
f7dd5c5ed4060025c13cf10e32adbb05842dce0b

SHA256
fcb60c2cb911e3b75bc730df2612896df8f0efe777107b78ea126a52a2f7c1ac

SHA512
4f8242609cff463fdbc5b402f2dd97f9c9bac58f70788424c585ce7cbd59ac9016d0a3de82e2283cfcda1566400f53c1a576ec7b1ddba8bc7c962e4fd76ed192

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
memory/1012-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1012-188-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download