Malware Analysis Report

2024-09-11 16:40

Sample ID 240614-rz72aavcra
Target FileCenterSetup12 - Copy.exe
SHA256 dbc77d91f4364c8ebf577f41405a1969203092f1cc69d984940c2ba7bf541113
Tags
discovery persistence vidar stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbc77d91f4364c8ebf577f41405a1969203092f1cc69d984940c2ba7bf541113

Threat Level: Known bad

The file FileCenterSetup12 - Copy.exe was found to be: Known bad.

Malicious Activity Summary

discovery persistence vidar stealer

Vidar

Enumerates connected drives

Drops desktop.ini file(s)

Adds Run key to start application

Checks computer location settings

Drops file in System32 directory

Drops file in Program Files directory

Checks installed software on the system

Drops file in Windows directory

Registers COM server for autorun

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious behavior: SetClipboardViewer

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 14:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 14:38

Reported

2024-06-14 14:55

Platform

win10v2004-20240508-en

Max time kernel

820s

Max time network

820s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c4980d2e-febc-4df4-8611-f44b5852a185} = "\"C:\\ProgramData\\Package Cache\\{c4980d2e-febc-4df4-8611-f44b5852a185}\\PDFXLite10.exe\" /burn.runonce" C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Windows\System32\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{CA134671-7DDE-4C6F-AA1C-BB0FE686C483}\.cr\PDFXLite10.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File opened for modification C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File opened for modification C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-34JCQ.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlb C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\x64\mxdwdrv.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.nl-NL.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterProcess.exe C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.twain.client.dll C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-N4ECR.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Samples\is-SPQB4.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.az-Latn-AZ.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.ru-RU.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\Plugins.x86\FowpKbd.dll C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-5KAFG.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.tr-TR.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsasian215.dll C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-PRRKB.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-EU2SV.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.barcode.1d.reader.dll C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-JUJOQ.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.pl-PL.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\is-24J9N.tmp C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files (x86)\FileCenter\Help\is-OI2A2.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-GPTP7.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-JQB4U.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.da-DK.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.he-IL.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.filters.dll C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-151HJ.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.it-IT.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\Tips\is-71U70.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Tips\is-V6UFC.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-EKEE8.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-RN31C.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-THMEB.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-QBNOG.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-O1523.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-D3SBE.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.nl-NL.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.pt-BR.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\ISYS11df.dll C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\dscrt40.dll C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.sl-SI.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\xcscan40.dll C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.it-IT.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\is-B7AF0.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-L00HH.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.sw-KE.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Help\fc-receipts.chm C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsjbig215.dll C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Tips\is-ED3OE.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-9SFQP.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-T0G0I.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-UNGHM.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.zh-TW.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Help\fc-automate.chm C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsjpeg2k15.dll C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-KRJCG.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-UNEVN.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-HFNOG.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-47MSE.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-O4PV7.tmp C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.cs-CZ.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\win32\PXC50uif.dll C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e5869c1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9DF8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{EE32AC25-40D1-4FA2-86CE-F53B0DCE9FCD}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA2DC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5869c1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9A77.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9B83.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C40.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D99.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI99F9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{EE32AC25-40D1-4FA2-86CE-F53B0DCE9FCD}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA164.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5869c5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA369.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9AD6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9BF1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{EE32AC25-40D1-4FA2-86CE-F53B0DCE9FCD} C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Windows\Temp\{D128095A-BB57-4F7C-9196-F164A5F6DD40}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe N/A
N/A N/A C:\Windows\Temp\{CA134671-7DDE-4C6F-AA1C-BB0FE686C483}\.cr\PDFXLite10.exe N/A
N/A N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Temp\{D128095A-BB57-4F7C-9196-F164A5F6DD40}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{CA134671-7DDE-4C6F-AA1C-BB0FE686C483}\.cr\PDFXLite10.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Windows\splwow64.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\splwow64.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{835265F2-FA0B-319A-8622-437EEA5AE584}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.2.46.0\Class = "GdPicture14.PDFReducerConfiguration" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.2.46.0\Class = "GdPicture14.BookmarksTree" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{835265F2-FA0B-319A-8622-437EEA5AE584}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.46.0\Class = "GdPicture14.GdPicturePDF" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{021BDF87-EEFB-4384-9183-F8170E3DC459}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0DF179B8-96F1-4F3E-9338-DFEEB61B810A}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\14.2.46.0\Class = "GdPicture14.GdPictureOCR+SpreadsheetOptions" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\Class = "GdPicture14.GdPictureDocumentConverter" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\Class = "GdPicture14.GdPictureOCR" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{835265F2-FA0B-319A-8622-437EEA5AE584}\InprocServer32\Class = "GdPicture14.Imaging.GdPictureRectangleF" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.2.46.0\Class = "GdPicture14.AnnotationManager" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\Class = "GdPicture14.GdPictureDocumentUtilities" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\Class = "GdPicture14.GdPictureOCR+SpreadsheetOptions" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\Class = "GdPicture14.GdViewer" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.2.46.0\Class = "GdPicture14.AnnotationEditor" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\ = "C:\\Windows\\system32\\mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DF179B8-96F1-4F3E-9338-DFEEB61B810A}\LocalServer32\ = "\"C:\\Program Files\\Tracker Software\\Update\\TrackerUpdate.exe\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\Class = "GdPicture14.GdPicturePDF" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\Class = "GdPicture14.GdPictureSegmenter" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40} C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe" C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\" C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{984D8349-2159-4CF7-BEB1-713EAB511205}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A018E70A-4E56-44ED-8E14-BB82ED650C38} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{107507E4-8258-4E89-9167-CADCD46059BB}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF2FFA17-1D52-38D2-8B6A-CEA4C426C891}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1BB55E4-30AD-3EE8-A1F7-58A9B4A6F59D}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\pdfSaver5.EXE C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{697DF02C-B24E-11D3-B57C-00105AA461D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05917844-D520-4B9C-9557-0A9219652549} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71D744C0-D3E3-4BF2-8405-56ABFC895DFC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ED881CB-9DA1-4D56-94E6-5DDE88D5E844}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CB0D00F3-C764-38F4-B0EC-DF8E01AC1D39}\14.2.46.0\Class = "GdPicture14.MRZFormat" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84DC8941-53C0-33F1-81D7-4010CA75208A}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{697DF02B-B24E-11D3-B57C-00105AA461D0}\ = "Options Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\FileCenter\\Main" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{107507E4-8258-4E89-9167-CADCD46059BB}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C4B98F4-8043-47D2-BF47-38D9D7EFAAC8}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{984D8349-2159-4CF7-BEB1-713EAB511205}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{40294E36-4581-49A9-9DA5-61B829DCEA7C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\ = "C:\\Windows\\SysWow64\\mscoree.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{29E507D8-C8A7-3698-92FB-063F5B097B3B}\14.2.46.0\Class = "GdPicture14.BarcodeAztecReaderScanMode" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E4BF1E65-DDBB-37CD-901E-1D6808A310A2}\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dten600.SearchReportJob\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A6B0EFB-F95A-4D9B-87F3-8BDAFB073E77}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{87CA5AE5-B668-3706-8AFA-B7031A60CEDD}\14.2.46.0\Class = "GdPicture14.TwainOrientation" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0A239820-7E4B-3350-8634-02974ADE3735} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{426B5317-D5C9-411D-A518-E026C137E3F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E09B1C3C-4818-319E-8C07-BCEAB34C5DF6}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A17E454-5D3A-3D52-A777-81B2A7E22CE6}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D6A9405-9A84-362E-875E-2B6C1801C196}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GdPicture14.BookmarksTree\CLSID\ = "{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\XCVault\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A967E5D1-B0E1-11D3-B57C-00105AA461D0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E920A0D-3156-4EB6-932F-5AB7287C54E5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12A9C2C4-700D-3621-BF41-CA4109FB648A}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E188228F-CBB1-3F4F-A283-28C904981BAB} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65466D04-F72E-325C-9E42-7F7F939C773E}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{869E2208-9E34-3759-B236-B5CA98C63619}\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{398FF59B-7B27-3D83-B9E7-EBED5F1B8BCD}\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53D6E3DD-6F2C-45BC-8B43-D74267B6BBB8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63375FB3-4F89-42F0-8090-209E954EBA1A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DD22AFE4-01F6-354A-A0E5-B2FAFD0C870A}\14.2.46.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{057F64D9-47A8-35D3-874F-2832B1CEF33E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A4132C42-DD75-3365-A307-4D98A2E48D7D} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{390B86AF-6FE2-3AAE-9864-61D5697B2040}\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4F8F66C-8F08-33CE-AEF2-AC3B0E8B9EFD} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CCBEF77-C177-4CC5-AC3E-18B08E29D628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{326B2199-D79D-3447-9565-B99A4F73C251}\14.2.46.0\Class = "GdPicture14.PdfTextDecorationStyle" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2C4AECCF-5491-39DD-AB70-4945DFE44D7B}\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{217A880A-A40E-385D-82B0-074F6A4DE136} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C5A57C2-81CA-4F69-BC52-A86F244934AF}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F578A25-D034-35D4-86DE-F5B986E0AC71}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49423ABA-6AC6-3259-BF41-09893EEE9A32}\ = "_ExternalOcrPageRequestEventHandler" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A967E5C4-B0E1-11D3-B57C-00105AA461D0}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\FileCenter\\Main" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6BDA31A5-2591-3F8F-9019-D7ADA4C8807E}\14.2.46.0\Class = "GdPicture14.Imaging.GdPictureInterpolationMode" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{71351467-9A3A-354D-B1EA-161F338DA28C}\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D649A087-D8E2-4D6A-917A-625726293308}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0120955E-BC65-3769-B8CF-9D372AEA99F2}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F4779F59-B5FB-3F6C-B277-6CA62D99A838}\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dten600.SearchResults\CLSID\ = "{798CBE35-B27D-11D3-B57C-00105AA461D0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lbvProt.ProtocolHandler.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4F0EAD1-C256-40AD-9CCF-B9CD8872EC9A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{73075CBA-0FA9-4A85-9922-EE773B6C9FDC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp
PID 4424 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp
PID 4424 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp
PID 3748 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3748 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3748 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3748 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3748 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3748 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3748 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3748 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3748 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3640 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3640 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3748 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3748 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 3748 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe
PID 4736 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3748 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 3748 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 3748 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 4324 wrote to memory of 1600 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4324 wrote to memory of 1600 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4324 wrote to memory of 1600 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4324 wrote to memory of 4280 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp" /SL5="$9020A,312502282,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe" -CLOSEALL

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe" -INSTBEG

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent

C:\Windows\Temp\{D128095A-BB57-4F7C-9196-F164A5F6DD40}\.cr\vc_redist.x86.exe

"C:\Windows\Temp\{D128095A-BB57-4F7C-9196-F164A5F6DD40}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Temp\{CA134671-7DDE-4C6F-AA1C-BB0FE686C483}\.cr\PDFXLite10.exe

"C:\Windows\Temp\{CA134671-7DDE-4C6F-AA1C-BB0FE686C483}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=692 -burn.filehandle.self=696 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe

"C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{03CE334F-8CDF-4B91-87AC-6D5CB182298F} {8052773C-53A9-4469-9103-36E7D5191453} 4888

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding A3E6938F3203720F0FDA64C3ABE9819F

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding CB63C17BB4D37D39320FFC92D7CC3344 E Global\MSI0000

C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER

C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AIBF5.tmp\PDFX5SA_sm.tmp" /SL5="$D00EC,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer

C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe

"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -OLOFF

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.filecenter.com/action.php?Action=Welcome&Refresh=1&ProductKey=&KeyID=-1&PTID=1&SourceID=-1&CustomID=-1&VerID=-1&PartnerID=0&WelcomeID=0&Version=12.0.14.0&CN=OBJIYUIE&UN=Admin&Trial=0&DaysLeft=0&s=&cnt1=&cnt2=&cnt3=&cnt4=&cnt5=&cnt6=&cnt7=&cnt8=&cnt9=&x=1235

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffae8cb46f8,0x7ffae8cb4708,0x7ffae8cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,6472495847112381394,10204883062328239707,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,6472495847112381394,10204883062328239707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,6472495847112381394,10204883062328239707,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,6472495847112381394,10204883062328239707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,6472495847112381394,10204883062328239707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""

C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe" 1768

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.filecenter.com udp

Files

memory/4424-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4424-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-6BL0G.tmp\FileCenterSetup12 - Copy.tmp

MD5 dcd92fa31977a222d0e4d3fe110d415e
SHA1 fc4cc2685ea2e2c937d2d54c2ba569a97f1c6848
SHA256 bb8cfa8d5374d7369480722bd269103bf4e0d3a7d636f4c1f135e6f8561aaa31
SHA512 8b35b4010bc8a4d3cfe70f6236c9cbf89c67cb71787e00f9084114ea5ca346b3fa12a7fe43a3e79522058008baf658c8d36e144769ee16af47ed5b16bb9fe36c

memory/3748-6-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3J194.tmp\FileCenterUtils.exe

MD5 ffb87bfe5ca1c40867bbca673cb3d781
SHA1 177948841e3a331ca82e0d8a131a442bf757fdc5
SHA256 d80774394ac842559a2ef0188b7a6195d829e66bdbc67f9a6730ad67440f26ce
SHA512 cdbd0ee39ade5719852ac427c251c66f83c6f3788e6b2cae2c43d95438cd7de056176a54df6b89b8133b6cda79153663d71059f47ca20826c17c7cf067a057cf

memory/4800-12-0x00000000000E0000-0x0000000000B76000-memory.dmp

memory/4800-13-0x00000000000E0000-0x0000000000B76000-memory.dmp

memory/1616-15-0x00000000000E0000-0x0000000000B76000-memory.dmp

memory/4424-16-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3748-17-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3640-19-0x00000000000E0000-0x0000000000B76000-memory.dmp

memory/4736-21-0x00000000000E0000-0x0000000000B76000-memory.dmp

memory/3748-86-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3748-129-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3748-353-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

MD5 ed1e3b9afc9e1f076de63d148468b4ee
SHA1 510a36875a9757de55b805244c65eee41a11dfe4
SHA256 04fd77164842ab7f403dec3d97a62c45a04e9e2b90beb3b9ac8c0a2780880179
SHA512 3688f5c12f0ec6185b79f9c04083eba97adc23404e4e109cb88f440089ab9faf81036380990505ae09d56030672eb082279eaf1bd44e82a6035cfaea5987e777

C:\Program Files (x86)\FileCenter\Main\dten600.dll

MD5 39698bea7b317af87e8edc0eec6a4a2f
SHA1 0a1291467a7214cf737ead9f65bb2f289c6df8f2
SHA256 328222ab8818e3703ef51b3221aeda932c85cf3ba674d2d8e69186cfc324a6f5
SHA512 5757d701731c9ad23256ee6efe3d453804529a2684559ed04cb5dd40c51edd2875907aeeea6ceb0cbc4c4ebdfb732e51fb5dc16cc1092a3413069c12e02ca792

C:\Program Files (x86)\FileCenter\Main\VSTwain.dll

MD5 13f5f7e228ce2b8a3a41dbad4e451279
SHA1 1b3837572602b2620b75bf2ad2aeab89a64f5287
SHA256 11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292
SHA512 24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

memory/3900-555-0x0000000010000000-0x00000000101C8000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll

MD5 309f2c558edf07ede517c42d46d17996
SHA1 25a5ced9c7552471cf696798198118b95acde3a5
SHA256 976fb78b0f6fe2aa8a5cd06d3bf5fb915bcbba88501d7e99b6fe2357e8b87488
SHA512 e335ec58568d9a4d8d5006dccd4dc93cf786593c530d41ad90127f2f3d47d3fd8fa3e72478da7f6ccae99b89e7eb44a0d8efd189c9ca2d602b540ed5c0c73dee

C:\Program Files (x86)\FileCenter\Main\secman.dll

MD5 085d87f49daf13496e0e018c4008fae6
SHA1 4b0c3058b8ace7e8242c941b449daa968f5b45c7
SHA256 d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15
SHA512 52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

C:\Program Files (x86)\FileCenter\Main\lbvProt.dll

MD5 336c76d82272c586aaa5cc39f571386a
SHA1 6807e466962d3995c84916bf8c3da69e1d4fa0c3
SHA256 3d3a11a6e6a42c3df462bf93d8ad33ca538fc6426914add7376084d63ec6fd85
SHA512 b6c9c60dc67bcf74596a7bd644dd561e68a23aed5d0c0aca1580d8a1ab1267d105c0f492cf158ca2be1d190f858febd3652a594a0c1bf768647cbbf4cf1c5dc0

memory/4280-558-0x0000000000690000-0x0000000000698000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini

MD5 70da425f8aac14b1484047edb83e60e8
SHA1 69d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256 258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512 a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

memory/3180-561-0x0000000000BF0000-0x0000000000C02000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll

MD5 32a54f1f906abf46cd368e0f8f0d761f
SHA1 868af8d4196ba7d6c49d83b72b4085f91e559d0c
SHA256 add8eb0f461c883fbdeff73d46b5b6257b5c31ae4f75b21798635a06d13cebf3
SHA512 9c9859374e1662ca5ad2a2600b7e74f5ea27d49f6e19aa8bbed22d64b60ad2563c221de1c1c61b00583167cf9ef48cdd13349a2761ae8d70bae3522d5b5a0b27

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

MD5 35b40b21383ac38487ceec8ab6e53565
SHA1 59894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256 caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA512 3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

memory/3180-566-0x0000000007B70000-0x0000000009EA4000-memory.dmp

C:\ProgramData\FileCenter\Config.ini

MD5 b2ad8f8dcc45644ea167317d050faac4
SHA1 215091d6ad9d4f210b85e675b17c60a7300ca9b1
SHA256 9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0
SHA512 528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

MD5 38c42486f0dd766a975f0ce2986618ce
SHA1 8bd1e5bf1ebbe89158fa148b17161d3c347d2f43
SHA256 2d1f4f59d74d665b77ac347271e2b393acf2323ac0ba39ec6209779e1579cba3
SHA512 10d862f4208acaa7e9a9630ad93b5a8863e64932b5fad1817c22369273b7de1980f91dda9989eb8e9de232c034279fe186c0c12947094ddd7dcdbfa1de56107c

C:\Windows\Temp\{D128095A-BB57-4F7C-9196-F164A5F6DD40}\.cr\vc_redist.x86.exe

MD5 86123c033231dd7e427d619ddeefd26a
SHA1 608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256 d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512 ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

C:\Windows\Temp\{9A1208F3-A234-4E31-993F-23FAC2FC1F58}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

memory/1040-624-0x0000000000300000-0x0000000000ABB000-memory.dmp

memory/4324-625-0x0000000000E60000-0x00000000018F6000-memory.dmp

C:\Windows\Temp\{9A1208F3-A234-4E31-993F-23FAC2FC1F58}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe

MD5 f7943a2ae33fec2af7e368e747fcfb4c
SHA1 150594e46fadd23724d8d561fb6a1cccd01f9b15
SHA256 fa060962d58afabdf8897e3a7e9a42411fc8cedf56c8efe3f70ccbece1d77996
SHA512 b6677569a716cdaaa3dc372cf4c288b5286fab8e0ace51126165f12c2209288fa5c250760ab426929f82ceb7d32e292a14e59f4d0cc88ea95d0ff1ec98a865b5

memory/3180-662-0x0000000005FA0000-0x0000000006544000-memory.dmp

memory/3180-663-0x0000000005AF0000-0x0000000005B82000-memory.dmp

C:\Windows\Temp\{CA134671-7DDE-4C6F-AA1C-BB0FE686C483}\.cr\PDFXLite10.exe

MD5 2ce2de198067f5a21b2f9a1b1672011d
SHA1 6beb44c86efe2e5b6aa15a2d0a405bf9d1eed90c
SHA256 4daaa20e3f8d48b8ae122828e233f433556ce4c1fc14bbf446e9e3bb498065dc
SHA512 8c5dde6061deaa5e1b7730385d2efb3b35f2e485481b8684b5897de161950a482fe1034306f103102193c91bc227887a345ec99ea8167a4e6cc2ee7447e242ce

C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.ba\wixstdba.dll

MD5 0ba387d66175c20452de372f8dbb79fe
SHA1 5411d41a7d88291b97fb9573eb6448c72e773b70
SHA256 7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33
SHA512 13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\.ba\logo.png

MD5 04967ef5107480ea36b3e2e97af7eb7a
SHA1 6efdd4484dcfcfd45b3c887c852f0abb1a02a645
SHA256 63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21
SHA512 00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

memory/3180-696-0x0000000006A30000-0x0000000006A52000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlb

MD5 c044775b522728cf1e9d5b2c217aef78
SHA1 c02be4445f31277e8c04696b517e21c5ac7b585e
SHA256 32e3b91d896373547a3837eeb60540fdd9069a419b87838deb4e9a380af11d74
SHA512 476d0a87798d3c38f292cbae9a34fc9a332fec6e9cb05c6dadab44b154bbb555463f0cea969801a6982f4d7919059d11fc6c400ebef4c37c7ae922d50511be36

memory/1788-700-0x000001EB17E00000-0x000001EB17E10000-memory.dmp

memory/3748-702-0x0000000000400000-0x000000000071A000-memory.dmp

memory/1788-703-0x000001EB34760000-0x000001EB36A94000-memory.dmp

memory/1788-704-0x000001EB323B0000-0x000001EB323D2000-memory.dmp

memory/3288-710-0x0000000000E60000-0x00000000018F6000-memory.dmp

C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\PkgLite64

MD5 2fd6b6c527a01667a51e7fcffd83dd66
SHA1 dc1aeeb425c0d4100fc857f6b0b9a61c122f8812
SHA256 6d0856890a1d367184480be791763b2cdc37aecf86be11a024c2beab28a7cb20
SHA512 3ff28e94dadcaa161553a992c7241ed5187ab51aeb194cba7dbf42aa3ab9eded9524b3bd625c4f090d4c35b2a9140f3defec1bcad1232a945c86e858a2e68fa6

C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\cab20F2A2993791BDD97B003B5578C7EAC7

MD5 8964de2589373217432b446c88f91b92
SHA1 20be3b02e60ea79808440c669470c7c9b191c682
SHA256 afd0958f99eae99746a544fbdfcf23be3cd5133278e6acd01eb77c9c22a79233
SHA512 ed01dc565eb9aeeeabb06cf484fec08391fb04989648f45b6e7765b6d8f8c5f9a500f891c0dbca819f6e48cea570b92c909d6eb36abf4f0e08b4f97c6f89b630

C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\cab293E212B151FCAC5768C99D66AA8D9AE

MD5 91080a23e2ea236c62be20753081db45
SHA1 f36de4f3142476dff5a7058f641f9989bc055e2e
SHA256 0c257a95528a377ef5e7dd17bd7d0fe71ee69acea10f68d89d3851bbf5232227
SHA512 4973f0f925dbd17bf7fa6a24f88c4a6e69e2bac1287ac47075caaa4aedecf63a18aeb5db38db448cb2eed6adff433c7f6a3087615de2a10731326ff3c0693e50

C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\cab5DD1590118F3640F385DB3EB2F516E5C

MD5 da39c1c957d623342495b094ebf57cf6
SHA1 f248803c43843bee135b49100b276298a88057b6
SHA256 b71b25c5b2af24fad28181701f8aa9e949136e30d6b26e267f7c2f21c373941c
SHA512 dcf3461fedab19fa9ceaaa00e59a7c4f277b57e464b3dac4afc65c96a9441da89e957d087ae0c2a17a04947cc49bc38667ee09e74a1c1e5cb7ce6c0b8fca4375

C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\cab8D36E281ACA51D7FBE9AB973BE9B36E3

MD5 dff2df55d0d52211bd0e873ae9c3a696
SHA1 49def2f68992d24cfa77002284ca2616726f11a9
SHA256 06a036bc395e12c0121e79017866f0b72fe8db8bc55ce601d898144e3edf55dc
SHA512 ce4e9bcbe90182281694fc0b6256cf51a3a91cbb42ecf16422443a158d77730e809f2e105f20d234d314a32ad6acf6016bb261e55b1ed34ea998f7216ff551a2

C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\cab20036D21E40418DD3280D692958B9275

MD5 7e5f82bf3db6aa8ee85a64b8f71a2135
SHA1 f08abdd7e2c77de8f9207f2029487cc735e7c68c
SHA256 ecafc712a349923e0f6a30f0cb4bdcab1d676fd9343aafb2317aa0f2970d20c1
SHA512 b349a863e7d0abff83068dfbcaf5b74e5e515440248884ebabb1733a2e2eae41c21e15c9b905356b82ca3cbf42f0d26c0e3be3b9e1fafb4ef2e63a6e2ad56e09

C:\Windows\Temp\{B92C997B-1570-4E5C-8C96-055D6EBD0E33}\cab66549ACD4EE6139A64068CA8626575A9

MD5 d38a6d8db326c4bcfae1b6d626bddb47
SHA1 2a76ef431c2430d6110e2e695b45d4c7e96bb797
SHA256 47a0da4c2b83b33ecfcc839408a1f1494565609216ac28903b914fb79c099cc6
SHA512 816f904a0cc3850232f0ae6378f20288fdb468207e3a591444972ef2756ec9ba99413866d478decda6e2eae9e206a254ce2ad50823a2f6658a10a9f6ff490fe2

C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txt

MD5 94fe5d867910f88fd78edc260a2d5ef2
SHA1 a6319c377dd94649ad44d3ae1b63310a7352e355
SHA256 1e12fb24da057216b9210d854202bb7c3c8228182c464d3ccf5f3eb33e0c9e73
SHA512 369797f334eaa8d7377019bc0fbe34ab83f87d0e6c806be4208cdb43e38a4e1675549b47cabf8d584de0ba5663f0db93e80080d55c658498cb3f512d05cb6222

C:\Windows\Installer\MSI99F9.tmp

MD5 c993da91312cc53c1dabbc5da730b80f
SHA1 5dc3175f6a248ca8cac3e3092cb138ece2947f9c
SHA256 a5f007aade6594c570c95dbdffb04a8bb15a0268cde4bef1587dba0df45b155e
SHA512 2890148c5ebc3ae6e529aa0de4dd895a1117bf972089a9ac0cdfb65c052e72e2de8a732d0a4b2458432344fb017b2c3bfd4627fa87fb45c9506536552e648cfa

C:\Users\Admin\AppData\Local\Temp\prnInstaller.log

MD5 d45065fed5160c45375e67fcbe111212
SHA1 4633a2c8dae4bc88149bab4bf27a0d64d260fc31
SHA256 b87fb6f2e265647e8b1de0fc2ccdddda1c5e8b49cc714dc2867e9a915f71c27a
SHA512 0510e1a0d10d114a4face12efbc2af31993991b96abd0ed1c7d0b447b1cbf1cf0b91e9c52d42ce8f0036fab00fb63f3caf438e0510ca82645ba6b75326032052

C:\Config.Msi\e5869c4.rbs

MD5 ff07705c00c4eededbedc3cdd6f2b854
SHA1 ca76e7563c9225423b28e27f816b8bfd1dc55686
SHA256 406556a2b78342a46549527f3102cec57e36445c67bee6c1c263b915d850a1ab
SHA512 8c2d227cc050885ec9c13a4670d3edecd7f7f833c994cd5567245cc9597cacaae16e304926204ab67f33b8ece991421903c24fe9b769e3ba09031fb3bab0b155

memory/3288-948-0x0000000000E60000-0x00000000018F6000-memory.dmp

memory/1364-949-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3308-951-0x0000000000E60000-0x00000000018F6000-memory.dmp

memory/3748-962-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll

MD5 2fbf69d014ae135d473ec8243d44be9e
SHA1 2c28d3b23d8ff061ae554ccd92aec93900e3cb2b
SHA256 6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3
SHA512 530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

memory/4280-1011-0x0000000000400000-0x000000000052C000-memory.dmp

memory/1364-1012-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3748-1015-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3748-1022-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4424-1023-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1768-1026-0x0000000002040000-0x0000000002A79000-memory.dmp

C:\ProgramData\FileCenter\Settings\POLData_Lock.tmp

MD5 724deba0ee02aa7ad576295d784b1230
SHA1 f4f36556c9babc24a278f5f2ddcce4bff6a64bc7
SHA256 a98ebebe7123b54822d1250f6264dd8d971e47d5cc718fac967d2dd2374365ac
SHA512 3855cea9f71c3905baa510a42cf397da2b9f4f27cd071246e72911e646d6f5ba93fb120cb1a2f4d3e6a73d3d5ec40afc6dfbfb9e495e9bb9a2296930b1702239

C:\ProgramData\FileCenter\Config.ini

MD5 4345ed95828ca70d5fbd8ded860a10ee
SHA1 d9285e7e8bd96d173b001fb3e09432ec70cbfeeb
SHA256 383b7c07e1a008fda90cf01d13640c7d3cbf9c909d595132407b5c4b8a4f30a4
SHA512 17e64dcf2762806aeb80defd107299d1e49dc7615a1a79743d56b90cdfc432a46abac4a1664e9fd554294dbd0015592fdd2b772205a8cc09254676e909fb6c35

memory/1768-1120-0x0000000002040000-0x0000000002A79000-memory.dmp

memory/1768-1119-0x0000000000460000-0x0000000001A76000-memory.dmp

C:\ProgramData\FileCenter\MyPortal.ini

MD5 8af40c2a9db1af603163ed8b0e25a3d0
SHA1 36db1a9baec9e7d6d17073529afff9df063e68d9
SHA256 64b92b073e9519d07676100c694c63207f45b561ce66594b8728eae023ba0705
SHA512 2662a09e1cd148cbb4ee1124e4fdac6561699f447c986992651ff8fb8e7d005803b74ce5c1bb65c6f916ab1407894fabd453735c10378a94d5c918b1fe66688d

memory/3608-1128-0x0000000000E60000-0x00000000018F6000-memory.dmp

memory/2952-1129-0x00000000020A0000-0x0000000002AD9000-memory.dmp

C:\ProgramData\FileCenter\Logs\Hooks.txt

MD5 ace553aa0a1e935c9f9c01c4591713ab
SHA1 024ea036cc42493f215b0df4d857dd8eaea40545
SHA256 9630e8ffdf9b18209be10ff1e5ebb9c3696065ece0547444c834a3a1f47216b4
SHA512 38b8dfd82baf266a1651a54e42e6eddfdccc97be9b002cf5f62deb7a1827f9f56f78bf209649143670c2b96df5e1462e9d19591825578af16cef6e4c0630f389

memory/2952-1154-0x00000000020A0000-0x0000000002AD9000-memory.dmp

memory/2952-1153-0x0000000000400000-0x0000000001844000-memory.dmp

memory/1768-1155-0x0000000000460000-0x0000000001A76000-memory.dmp

memory/1768-1157-0x0000000000460000-0x0000000001A76000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 efdea1d50524a63bdc8507401c789a32
SHA1 90296f6bf6ebe13e3599dc50630a82a42164c3b2
SHA256 910988d1879b4f635770e848c7f8359149acccb3b36a21048a2515b478cbb004
SHA512 b64894db73aab2bc02a3946069753828803c464799968c79cd10fdfe88c11ec904b995d95cab015be4a3b9ac12ec2443831dafdc00f2d725aad2f9ac23004ed8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 177d8e8ce6dfbc10ca718828888c5ebb
SHA1 f6f6d9b57aa80095b58a316822024982be1250ca
SHA256 f45c851d2f357385e70946f811688d61896515f7e925565e7e4403ff394a78ea
SHA512 5c2208cce6f8a7d66ff2a0fb9ed1c9eb117e5ab66cca33f7180f847c8a279f2a5a2f86263dd1734f59d2519bb8582c21515f5d6ce7f1160cfd99f42898726327

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\ProgramData\FileCenter\Intercepts.ini

MD5 5418c7c76ff879ef60229b2ae6a97e88
SHA1 c1388b68b6a6d62e8f5c949452e520c9066a499a
SHA256 fca75a353370c4b9f38cbb80c82e132d82b4a0d7a277aa5f19bbe2f21c592281
SHA512 370e3595e3f966a6218b734274b9a1f9643d9dc832ca157214a024967364711414fd0b07af7dac50e4fada1b02e352db428920dcf93b0e6e77bc16b8167acea9

memory/1768-1272-0x0000000000460000-0x0000000001A76000-memory.dmp

memory/3748-1274-0x0000000002000000-0x0000000002A39000-memory.dmp

C:\ProgramData\FileCenter\Logs\Hooks.txt

MD5 98c40d1a10d00b4bbc60fbb20db4d127
SHA1 aba2a89cc57e195ca7a865c646511706399764ed
SHA256 e589addfe8f113bf7283d7368088fa6a6d16c9abe0b59252bfa9a9c80ccea3f8
SHA512 4e8478ccf27b86be84da4881b8976a68e81287af896828700cc30fe75fc100edf83a97b972463997da79a13a056e6b8acde28aa6903672bd3c70d777cde7e1c7

memory/4556-1288-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

memory/4556-1292-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

memory/4556-1291-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

memory/4556-1290-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

memory/4556-1289-0x00007FFAB8090000-0x00007FFAB80A0000-memory.dmp

memory/4556-1293-0x00007FFAB5A90000-0x00007FFAB5AA0000-memory.dmp

memory/4556-1295-0x00007FFAB5A90000-0x00007FFAB5AA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 add56ec49f8f478e84a934606effef1c
SHA1 1262ae87ef755e40752740df90d21352d5fc81ec
SHA256 22e509cf2b7202fc6b04c3d9a1b137477f11471d58a48c1f9514f89450217327
SHA512 c095f193d221696f3b087c3f224a559ad0efe4852a5392c8a3ab03f80183beec2a8327892aa481c85f1bf8165b76a029555f250e0dd5f396c823feacff4c06f1

C:\ProgramData\FileCenter\Logs\Hooks.txt

MD5 e73be166cdd37c40dcb5d82a9413e30d
SHA1 e2c2d7cf77fc21547ca6978e2a788ab312f124ac
SHA256 5c168e139693f5305918b2ba1ddc68bd728bdcdd1f592700943e3ac32e4d1e68
SHA512 781e51395c7e9522091b2b43b89a4edbe9b0615de7f2e9b64a055efefe1a24bc8a4c43425ef7ca9e7d75230947849c0f820f2cf301033efcefcde6f4af19d31e

C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe

MD5 61e1e72619c55edea21b38b57446b670
SHA1 7ba9baffec016fa08656ad699648b201cd1b76e2
SHA256 c4544843971eea8bd18f75689d733c5dcac5c3055e1908207b47686281587331
SHA512 15677b9cb80e52a87482c747883c8023b1759bf8c2ad35325f5fd3f5cb2e13120fdf29d47c82fdb27045938fefa8fa7f3c36ed7eec2b007e7c84ffeea8bf2dee

memory/1768-1327-0x0000000071230000-0x0000000071231000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 4aeb5c8113d157abc73ca044217366c0
SHA1 acc14362e71de16e0b08992fda48dc966542e669
SHA256 fc48e6dc538a39f69ef805df4fd09050a41798fac511dd0315f34af3ab071057
SHA512 a2d956b0746a0f2e5b4641ac98a2a374f40b228c435c004005c8d3722c0c5cbf88a60b0a606cf4fd723b300e4d0118794f75a0f776be01eb18588f9bf7c03683

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 43e5c451e3729633b46941b9e83b9469
SHA1 00b37fb84b53bcd84059508d02199f3563fbbced
SHA256 7d19169f833cd9a15d241761fa4a2d01472b8c815d2f6653610e49a993537d23
SHA512 889bfd28d72bc8edfdea2514b09cc740c96124628671c71de4d173551a6dc8907f9ed0de016fb6e0305e335671fc4c825f4e427b51800d2bddf33499d8616683

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 14:38

Reported

2024-06-14 14:54

Platform

win11-20240508-en

Max time kernel

798s

Max time network

818s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe"

Signatures

Vidar

stealer vidar

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c4980d2e-febc-4df4-8611-f44b5852a185} = "\"C:\\ProgramData\\Package Cache\\{c4980d2e-febc-4df4-8611-f44b5852a185}\\PDFXLite10.exe\" /burn.runonce" C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Windows\System32\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File opened for modification C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.barcode.2d.reader.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Tiff.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.cs-CZ.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.nl-NL.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterInjector64.exe C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-DTS8E.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-JIR9L.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.ja-JP.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.sl-SI.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\is-3M5AA.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterQBD.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrspdf15.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-M0FOU.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-OCO09.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-P9SPP.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\ISYS11df.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-APV5J.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.gl-ES.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\PrnInstaller.exe C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.pt-PT.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Symbol.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\dscrt40.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-E9I6Q.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.machine.vision.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-1UD15.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-P16B9.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-LJEBA.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-UUTRS.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-GCUMG.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Help\is-HGJL2.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-OSCC7.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Png.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-49G0F.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Help\is-62UB5.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.fi-FI.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterIndexer.exe C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-NF1R8.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-LFK3O.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\x86\mxdwdrv.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsnet15.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-NMFU2.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.ko-KR.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.pt-BR.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrstiff15.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Drivers\is-A9I60.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.es-ES.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\lbvProt.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-9V0IU.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.az-Latn-AZ.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Drivers\is-T662G.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-SSH1S.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\win32\is-LJ6VO.tmp C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsdmtxbarcodewrapper15.dll C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-ORL7Q.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-LA5PB.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-HDI3T.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Help\is-NQ12U.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-22HRB.tmp C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.zh-CN.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.pl-PL.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterScheduler.exe C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\~DF1C16D3EFC0A3B273.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBC8E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853eb.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5853e7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB3CD.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{EE32AC25-40D1-4FA2-86CE-F53B0DCE9FCD} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF0D6763BA982B51F0.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB3AC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB3DF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBCFC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{EE32AC25-40D1-4FA2-86CE-F53B0DCE9FCD}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB36D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB3CC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF0E2EE22305A685EF.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB509.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{EE32AC25-40D1-4FA2-86CE-F53B0DCE9FCD}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBAF6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF6FD874BCC4A59523.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5853e7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB3DE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB558.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{6DE85CD3-FCC7-4614-9A69-09029E1C62DE}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe N/A
N/A N/A C:\Windows\Temp\{E363B39B-B77C-4814-8F26-2E0785100487}\.cr\PDFXLite10.exe N/A
N/A N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Temp\{6DE85CD3-FCC7-4614-9A69-09029E1C62DE}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{E363B39B-B77C-4814-8F26-2E0785100487}\.cr\PDFXLite10.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Windows\splwow64.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.2.46.0\Class = "GdPicture14.GdPictureDocumentUtilities" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.2.46.0\Class = "GdPicture14.GdPictureSegmenter" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.2.46.0\Class = "GdPicture14.PDFReducerConfiguration" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.2.46.0\Class = "GdPicture14.AnnotationEditor" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.46.0\Class = "GdPicture14.GdViewer" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{835265F2-FA0B-319A-8622-437EEA5AE584}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{835265F2-FA0B-319A-8622-437EEA5AE584}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{835265F2-FA0B-319A-8622-437EEA5AE584}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{835265F2-FA0B-319A-8622-437EEA5AE584}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.46.0\Class = "GdPicture14.ThumbnailEx" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.2.46.0\Class = "GdPicture14.AnnotationManager" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.2.46.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\Class = "GdPicture14.ThumbnailEx" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\WOW6432Node\CLSID\{021BDF87-EEFB-4384-9183-F8170E3DC459}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{835265F2-FA0B-319A-8622-437EEA5AE584}\InprocServer32\14.2.46.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{835265F2-FA0B-319A-8622-437EEA5AE584}\InprocServer32\Class = "GdPicture14.Imaging.GdPictureRectangleF" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DF179B8-96F1-4F3E-9338-DFEEB61B810A}\LocalServer32\ = "\"C:\\Program Files\\Tracker Software\\Update\\TrackerUpdate.exe\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\Class = "GdPicture14.GdPictureSegmenter" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007974a9d8010144950000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007974a9d80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007974a9d8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7974a9d8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007974a9d800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40} C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe" C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\" C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{886A40F5-7B25-3959-A8F1-1861AE1B9AD5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\ToolBoxBitmap32\ = "C:\\Program Files (x86)\\FileCenter\\Main\\GdPicture.NET.14.dll, 104" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\ProgId C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{697DF027-B24E-11D3-B57C-00105AA461D0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF692378-DFB0-4FA8-B17E-1E56EE9C6F00}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0265291-1DFC-4377-B60D-7AE9CA536A73}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D9725FB-C4AE-3241-87C2-74EB5AEF08C5}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1CB9426-FA08-4829-8470-C8C7FF7F7A00}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9C6A106-C4C1-4F7E-9E20-65E53233A2D2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95ABC066-9919-4571-8387-7A7CFB5FAEEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\Class = "GdPicture14.GdPictureDocumentConverter" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\Version C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F6E91C4-12B5-4E2F-9C2B-479EF525A9F7}\ = "IRangeHelper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4F0EAD1-C256-40AD-9CCF-B9CD8872EC9A}\ = "IEventsRegistry" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF67F023-1C25-481D-8EE2-D522FC578CC5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{701DB470-B5AE-441C-B0DD-30EB08295310}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D14D8C84-A4A9-4CC4-AD61-441F949A360A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6CC3626F-3A77-3388-B3F4-A151F29A834A}\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6D17E84-23E1-461E-BF56-5E5DD195B53F}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C479FC7-3BFF-3614-A06B-813AB8EE540B}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9310DDA5-F90E-3131-8969-7DBD433D1754}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8E84FA58-4406-3ABD-90F7-1360E81F6602}\14.2.46.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0120955E-BC65-3769-B8CF-9D372AEA99F2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\FileCenter.exe\shell\open C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41B1AADD-61EE-406C-A8C6-FC02BA66CA67}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91F594C1-7C1A-465D-BC9C-004E2FD7C6C4}\ = "IUIX_ScrollContainer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C341E89-9DC0-4DDA-94D1-BE06A410FC14}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E2CB9CC-C8AB-4B22-A9E2-362861350CA7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2642276-4441-3971-A644-CD86E416C204}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97AC7381-9417-323E-8AAE-234B95A6157B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\TypeLib\ = "{b5893b58-701e-4110-9871-1da14cf9c1dc}" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{996282FD-2D89-3BDB-87DD-D3EB548D97E0}\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{127EDB28-902F-4487-AC32-3EF045C7AB9F}\ = "IPXCControlEx" C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E18E8434-3DF3-4A20-BFDC-F1F5272F162E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3E2C472-5A54-4169-98DE-CED5FEDB39F2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95ABC066-9919-4571-8387-7A7CFB5FAEEF}\ = "IPXV_LoupeView" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0B624EB2-5689-388C-891F-17F0A68F6FF4}\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1BB55E4-30AD-3EE8-A1F7-58A9B4A6F59D}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03BC249B-B8BF-49DA-861E-654CEA4B5D2B}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49423ABA-6AC6-3259-BF41-09893EEE9A32}\ = "_ExternalOcrPageRequestEventHandler" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{127EDB28-902F-4487-AC32-3EF045C7AB9F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2F015BB-95B8-4C93-A68D-A9B706733987}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F015B6B9-74AE-3443-9A3B-3E85AE4ACBC4}\14.2.46.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{539F514E-E675-4BE1-86DC-1E5A8E904636} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7F7E13E6-4A5B-3356-9F51-5406AA091179}\14.2.46.0\Class = "GdPicture14.PdfAdvancedImageCompression" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664D5B33-C2CC-4D66-94F8-E8E11FA39242}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99CD1570-5F68-4CB3-A9FA-58E49327AA75}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3B7703D-456F-4B3B-B3F4-1B207653B25F}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B27E7FF-6279-49DA-AE6B-8E13AD665B1F}\ = "IPXV_DocContentsChangesInfo" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{628E3C50-3A9A-302D-99E0-6F6E026C6F6D}\14.2.46.0\Assembly = "GdPicture.NET.14, Version=14.2.46.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E31C4173-E2E9-3369-8406-6CD6E38236EA}\14.2.46.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8DF8461E-52D3-4E37-8AF6-3B5C1F6F7E87}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D513F74-9FC7-4179-A268-92E62D4F03A7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF3EA9CF-3882-4A6A-A9A4-BC56D8B5B083}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7446442E-F15F-32FB-A5FE-8CE1A1C5D1D0}\14.2.46.0\Class = "GdPicture14.PdfViewerNonFullScreenPageMode" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9BB0EB1C-DFE1-3939-85FE-856BEA15B1E4}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88D5604A-0C19-4F47-BD4A-969D740A5B16} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D513F74-9FC7-4179-A268-92E62D4F03A7}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F6F8356-1AB8-40AD-81E4-E1E3E71B4BCD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3304 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp
PID 3304 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp
PID 3304 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp
PID 3156 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 3156 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 3156 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 3156 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 3156 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 3156 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 3156 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 3156 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 3156 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 664 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 664 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3156 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 3156 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 3156 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe
PID 1452 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1452 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3156 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 3156 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 3156 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 4744 wrote to memory of 4160 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4744 wrote to memory of 4160 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4744 wrote to memory of 4160 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4744 wrote to memory of 4200 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp" /SL5="$40208,312502282,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12 - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe" -CLOSEALL

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe" -INSTBEG

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart

C:\Windows\Temp\{6DE85CD3-FCC7-4614-9A69-09029E1C62DE}\.cr\vc_redist.x86.exe

"C:\Windows\Temp\{6DE85CD3-FCC7-4614-9A69-09029E1C62DE}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /install /quiet /norestart

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Temp\{E363B39B-B77C-4814-8F26-2E0785100487}\.cr\PDFXLite10.exe

"C:\Windows\Temp\{E363B39B-B77C-4814-8F26-2E0785100487}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe

"C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{4444BD77-2678-437D-9E98-B97352E807C6} {BD593B93-1D8F-4E91-8AE8-5514AAFA15BD} 1880

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 93D6E176660DE89F708F0DCE109514A7

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER

C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1654C.tmp\PDFX5SA_sm.tmp" /SL5="$B005A,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding A39AB0781AACD8EC0D1ADB4C5AF66E95 E Global\MSI0000

C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer

C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe

"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -OLOFF

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.filecenter.com/action.php?Action=Welcome&Refresh=1&ProductKey=&KeyID=-1&PTID=1&SourceID=-1&CustomID=-1&VerID=-1&PartnerID=0&WelcomeID=0&Version=12.0.14.0&CN=AQMCPUSG&UN=Admin&Trial=0&DaysLeft=0&s=&cnt1=&cnt2=&cnt3=&cnt4=&cnt5=&cnt6=&cnt7=&cnt8=&cnt9=&x=1235

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd11103cb8,0x7ffd11103cc8,0x7ffd11103cd8

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2560 /prefetch:1

C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe" 1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4660 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,5036502626554383534,4330864551887192381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 2.18.66.89:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 2.18.66.89:443 tcp
GB 2.18.66.89:443 tcp
GB 2.18.66.80:443 tcp
GB 2.18.66.80:443 tcp
GB 2.18.66.80:443 tcp
GB 2.18.66.80:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 2.18.66.80:443 tcp
GB 2.18.66.162:443 tcp
GB 2.18.66.162:443 tcp
GB 2.18.66.162:443 tcp
GB 2.18.66.162:443 tcp
GB 2.18.66.162:443 tcp
GB 2.18.66.162:443 tcp
GB 2.18.66.81:443 tcp
US 8.8.8.8:53 www.filecenter.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.filecenter.com udp
US 8.8.8.8:53 www.filecenter.com udp
US 8.8.8.8:53 www.filecenter.com udp
US 8.8.8.8:53 www.filecenter.com udp

Files

memory/3304-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3304-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DKQ25.tmp\FileCenterSetup12 - Copy.tmp

MD5 dcd92fa31977a222d0e4d3fe110d415e
SHA1 fc4cc2685ea2e2c937d2d54c2ba569a97f1c6848
SHA256 bb8cfa8d5374d7369480722bd269103bf4e0d3a7d636f4c1f135e6f8561aaa31
SHA512 8b35b4010bc8a4d3cfe70f6236c9cbf89c67cb71787e00f9084114ea5ca346b3fa12a7fe43a3e79522058008baf658c8d36e144769ee16af47ed5b16bb9fe36c

memory/3156-7-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-1N7IF.tmp\FileCenterUtils.exe

MD5 ffb87bfe5ca1c40867bbca673cb3d781
SHA1 177948841e3a331ca82e0d8a131a442bf757fdc5
SHA256 d80774394ac842559a2ef0188b7a6195d829e66bdbc67f9a6730ad67440f26ce
SHA512 cdbd0ee39ade5719852ac427c251c66f83c6f3788e6b2cae2c43d95438cd7de056176a54df6b89b8133b6cda79153663d71059f47ca20826c17c7cf067a057cf

memory/3184-12-0x0000000004890000-0x0000000004891000-memory.dmp

memory/3184-13-0x0000000000C70000-0x0000000001706000-memory.dmp

memory/3304-14-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3156-15-0x0000000000400000-0x000000000071A000-memory.dmp

memory/1924-17-0x0000000000C70000-0x0000000001706000-memory.dmp

memory/664-19-0x0000000000C70000-0x0000000001706000-memory.dmp

memory/1452-21-0x0000000000C70000-0x0000000001706000-memory.dmp

memory/3156-46-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3156-89-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3156-269-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

MD5 ed1e3b9afc9e1f076de63d148468b4ee
SHA1 510a36875a9757de55b805244c65eee41a11dfe4
SHA256 04fd77164842ab7f403dec3d97a62c45a04e9e2b90beb3b9ac8c0a2780880179
SHA512 3688f5c12f0ec6185b79f9c04083eba97adc23404e4e109cb88f440089ab9faf81036380990505ae09d56030672eb082279eaf1bd44e82a6035cfaea5987e777

C:\Program Files (x86)\FileCenter\Main\dten600.dll

MD5 39698bea7b317af87e8edc0eec6a4a2f
SHA1 0a1291467a7214cf737ead9f65bb2f289c6df8f2
SHA256 328222ab8818e3703ef51b3221aeda932c85cf3ba674d2d8e69186cfc324a6f5
SHA512 5757d701731c9ad23256ee6efe3d453804529a2684559ed04cb5dd40c51edd2875907aeeea6ceb0cbc4c4ebdfb732e51fb5dc16cc1092a3413069c12e02ca792

C:\Program Files (x86)\FileCenter\Main\lbvProt.dll

MD5 336c76d82272c586aaa5cc39f571386a
SHA1 6807e466962d3995c84916bf8c3da69e1d4fa0c3
SHA256 3d3a11a6e6a42c3df462bf93d8ad33ca538fc6426914add7376084d63ec6fd85
SHA512 b6c9c60dc67bcf74596a7bd644dd561e68a23aed5d0c0aca1580d8a1ab1267d105c0f492cf158ca2be1d190f858febd3652a594a0c1bf768647cbbf4cf1c5dc0

memory/4200-552-0x00000000002E0000-0x00000000002E8000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\VSTwain.dll

MD5 13f5f7e228ce2b8a3a41dbad4e451279
SHA1 1b3837572602b2620b75bf2ad2aeab89a64f5287
SHA256 11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292
SHA512 24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

memory/3156-555-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3136-556-0x0000000010000000-0x00000000101C8000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\secman.dll

MD5 085d87f49daf13496e0e018c4008fae6
SHA1 4b0c3058b8ace7e8242c941b449daa968f5b45c7
SHA256 d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15
SHA512 52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll

MD5 309f2c558edf07ede517c42d46d17996
SHA1 25a5ced9c7552471cf696798198118b95acde3a5
SHA256 976fb78b0f6fe2aa8a5cd06d3bf5fb915bcbba88501d7e99b6fe2357e8b87488
SHA512 e335ec58568d9a4d8d5006dccd4dc93cf786593c530d41ad90127f2f3d47d3fd8fa3e72478da7f6ccae99b89e7eb44a0d8efd189c9ca2d602b540ed5c0c73dee

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini

MD5 70da425f8aac14b1484047edb83e60e8
SHA1 69d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256 258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512 a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

memory/1264-563-0x0000000000820000-0x0000000000832000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll

MD5 32a54f1f906abf46cd368e0f8f0d761f
SHA1 868af8d4196ba7d6c49d83b72b4085f91e559d0c
SHA256 add8eb0f461c883fbdeff73d46b5b6257b5c31ae4f75b21798635a06d13cebf3
SHA512 9c9859374e1662ca5ad2a2600b7e74f5ea27d49f6e19aa8bbed22d64b60ad2563c221de1c1c61b00583167cf9ef48cdd13349a2761ae8d70bae3522d5b5a0b27

memory/1264-567-0x0000000007720000-0x0000000009A54000-memory.dmp

memory/1264-570-0x0000000005B50000-0x00000000060F6000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

MD5 35b40b21383ac38487ceec8ab6e53565
SHA1 59894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256 caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA512 3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

memory/1264-572-0x00000000056A0000-0x0000000005732000-memory.dmp

C:\ProgramData\FileCenter\Config.ini

MD5 b2ad8f8dcc45644ea167317d050faac4
SHA1 215091d6ad9d4f210b85e675b17c60a7300ca9b1
SHA256 9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0
SHA512 528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

MD5 38c42486f0dd766a975f0ce2986618ce
SHA1 8bd1e5bf1ebbe89158fa148b17161d3c347d2f43
SHA256 2d1f4f59d74d665b77ac347271e2b393acf2323ac0ba39ec6209779e1579cba3
SHA512 10d862f4208acaa7e9a9630ad93b5a8863e64932b5fad1817c22369273b7de1980f91dda9989eb8e9de232c034279fe186c0c12947094ddd7dcdbfa1de56107c

C:\Windows\Temp\{6DE85CD3-FCC7-4614-9A69-09029E1C62DE}\.cr\vc_redist.x86.exe

MD5 86123c033231dd7e427d619ddeefd26a
SHA1 608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256 d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512 ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

C:\Windows\Temp\{A6DE5072-568D-4230-A0F4-074EE28955C4}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{A6DE5072-568D-4230-A0F4-074EE28955C4}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

memory/1796-628-0x0000000000210000-0x00000000009CB000-memory.dmp

memory/4744-663-0x00000000003A0000-0x0000000000E36000-memory.dmp

memory/1264-665-0x00000000064A0000-0x00000000064C2000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlb

MD5 12028ea5fa78401a2f3e8d51de081520
SHA1 c091523a8c0268809d026c33f5f7a7be9ef3ff72
SHA256 9eee911eeb1aef37c74ff8791a11fc20eecca8effb29f53d07ee0a9e1a504252
SHA512 a4d5c7617ca375faa3d75109932cca6950882f7c027a9c4a28d236da019d739107f251f8bb894e0706b272a5c59a5b3eaf7fc49dea9d3e4b8294cfaa0404a8e7

memory/4992-669-0x000001E6BE700000-0x000001E6BE710000-memory.dmp

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe

MD5 f7943a2ae33fec2af7e368e747fcfb4c
SHA1 150594e46fadd23724d8d561fb6a1cccd01f9b15
SHA256 fa060962d58afabdf8897e3a7e9a42411fc8cedf56c8efe3f70ccbece1d77996
SHA512 b6677569a716cdaaa3dc372cf4c288b5286fab8e0ace51126165f12c2209288fa5c250760ab426929f82ceb7d32e292a14e59f4d0cc88ea95d0ff1ec98a865b5

memory/4992-671-0x000001E6DB0D0000-0x000001E6DD404000-memory.dmp

C:\Windows\Temp\{E363B39B-B77C-4814-8F26-2E0785100487}\.cr\PDFXLite10.exe

MD5 2ce2de198067f5a21b2f9a1b1672011d
SHA1 6beb44c86efe2e5b6aa15a2d0a405bf9d1eed90c
SHA256 4daaa20e3f8d48b8ae122828e233f433556ce4c1fc14bbf446e9e3bb498065dc
SHA512 8c5dde6061deaa5e1b7730385d2efb3b35f2e485481b8684b5897de161950a482fe1034306f103102193c91bc227887a345ec99ea8167a4e6cc2ee7447e242ce

C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.ba\logo.png

MD5 04967ef5107480ea36b3e2e97af7eb7a
SHA1 6efdd4484dcfcfd45b3c887c852f0abb1a02a645
SHA256 63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21
SHA512 00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\.ba\wixstdba.dll

MD5 0ba387d66175c20452de372f8dbb79fe
SHA1 5411d41a7d88291b97fb9573eb6448c72e773b70
SHA256 7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33
SHA512 13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

memory/4992-704-0x000001E6D8D40000-0x000001E6D8D62000-memory.dmp

C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\cab20F2A2993791BDD97B003B5578C7EAC7

MD5 8964de2589373217432b446c88f91b92
SHA1 20be3b02e60ea79808440c669470c7c9b191c682
SHA256 afd0958f99eae99746a544fbdfcf23be3cd5133278e6acd01eb77c9c22a79233
SHA512 ed01dc565eb9aeeeabb06cf484fec08391fb04989648f45b6e7765b6d8f8c5f9a500f891c0dbca819f6e48cea570b92c909d6eb36abf4f0e08b4f97c6f89b630

C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\PkgLite64

MD5 2fd6b6c527a01667a51e7fcffd83dd66
SHA1 dc1aeeb425c0d4100fc857f6b0b9a61c122f8812
SHA256 6d0856890a1d367184480be791763b2cdc37aecf86be11a024c2beab28a7cb20
SHA512 3ff28e94dadcaa161553a992c7241ed5187ab51aeb194cba7dbf42aa3ab9eded9524b3bd625c4f090d4c35b2a9140f3defec1bcad1232a945c86e858a2e68fa6

C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\cab5DD1590118F3640F385DB3EB2F516E5C

MD5 da39c1c957d623342495b094ebf57cf6
SHA1 f248803c43843bee135b49100b276298a88057b6
SHA256 b71b25c5b2af24fad28181701f8aa9e949136e30d6b26e267f7c2f21c373941c
SHA512 dcf3461fedab19fa9ceaaa00e59a7c4f277b57e464b3dac4afc65c96a9441da89e957d087ae0c2a17a04947cc49bc38667ee09e74a1c1e5cb7ce6c0b8fca4375

C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\cab293E212B151FCAC5768C99D66AA8D9AE

MD5 91080a23e2ea236c62be20753081db45
SHA1 f36de4f3142476dff5a7058f641f9989bc055e2e
SHA256 0c257a95528a377ef5e7dd17bd7d0fe71ee69acea10f68d89d3851bbf5232227
SHA512 4973f0f925dbd17bf7fa6a24f88c4a6e69e2bac1287ac47075caaa4aedecf63a18aeb5db38db448cb2eed6adff433c7f6a3087615de2a10731326ff3c0693e50

C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\cab66549ACD4EE6139A64068CA8626575A9

MD5 d38a6d8db326c4bcfae1b6d626bddb47
SHA1 2a76ef431c2430d6110e2e695b45d4c7e96bb797
SHA256 47a0da4c2b83b33ecfcc839408a1f1494565609216ac28903b914fb79c099cc6
SHA512 816f904a0cc3850232f0ae6378f20288fdb468207e3a591444972ef2756ec9ba99413866d478decda6e2eae9e206a254ce2ad50823a2f6658a10a9f6ff490fe2

C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\cab8D36E281ACA51D7FBE9AB973BE9B36E3

MD5 dff2df55d0d52211bd0e873ae9c3a696
SHA1 49def2f68992d24cfa77002284ca2616726f11a9
SHA256 06a036bc395e12c0121e79017866f0b72fe8db8bc55ce601d898144e3edf55dc
SHA512 ce4e9bcbe90182281694fc0b6256cf51a3a91cbb42ecf16422443a158d77730e809f2e105f20d234d314a32ad6acf6016bb261e55b1ed34ea998f7216ff551a2

C:\Windows\Temp\{C088A8F8-222C-4D66-BE49-584F15A3F445}\cab20036D21E40418DD3280D692958B9275

MD5 7e5f82bf3db6aa8ee85a64b8f71a2135
SHA1 f08abdd7e2c77de8f9207f2029487cc735e7c68c
SHA256 ecafc712a349923e0f6a30f0cb4bdcab1d676fd9343aafb2317aa0f2970d20c1
SHA512 b349a863e7d0abff83068dfbcaf5b74e5e515440248884ebabb1733a2e2eae41c21e15c9b905356b82ca3cbf42f0d26c0e3be3b9e1fafb4ef2e63a6e2ad56e09

C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txt

MD5 bab932ee42f7bc005b8f4af33c95a943
SHA1 1b70b7feab63afaa84233799b5c8819169cc8657
SHA256 4a50528baa9231f22e1786e27f56846219446f1fb403cad07a928ff4adefa0bc
SHA512 f133c3fd3af78f58535fba10bf74d3ebf5883100eaeb31987f0011a7642b3d7231fac441b0ca28e626068c12c50698af2b4bf9e7f81dcde6edb40dba6933d433

memory/3816-730-0x00000000003A0000-0x0000000000E36000-memory.dmp

C:\Windows\Installer\MSIB36D.tmp

MD5 c993da91312cc53c1dabbc5da730b80f
SHA1 5dc3175f6a248ca8cac3e3092cb138ece2947f9c
SHA256 a5f007aade6594c570c95dbdffb04a8bb15a0268cde4bef1587dba0df45b155e
SHA512 2890148c5ebc3ae6e529aa0de4dd895a1117bf972089a9ac0cdfb65c052e72e2de8a732d0a4b2458432344fb017b2c3bfd4627fa87fb45c9506536552e648cfa

memory/3816-759-0x00000000003A0000-0x0000000000E36000-memory.dmp

memory/2632-763-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1168-794-0x00000000003A0000-0x0000000000E36000-memory.dmp

C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll

MD5 2fbf69d014ae135d473ec8243d44be9e
SHA1 2c28d3b23d8ff061ae554ccd92aec93900e3cb2b
SHA256 6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3
SHA512 530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

C:\Users\Admin\AppData\Local\Temp\prnInstaller.log

MD5 852501f0c3746cbbc859f6b3a6d32cb2
SHA1 1554cc2fb4a7b224d9f632d69102ddab6c993897
SHA256 6d85c2d4ca3d1c73147d78acec1a7171e82eacf0ce2b7c108d7b025c9a4da2dd
SHA512 c078dd249c865f74ef6a0e4b7ca0dba40fa2edda3b9636d6e9c63387acdf4acb20a0f0173a810712e5ba609e32b1809cc2a90e042cba9d87a7ea5eb4369a9c0d

C:\Users\Admin\AppData\Local\Temp\prnInstaller.log

MD5 259772a8f8d87dff52d7b44faaf24f73
SHA1 01266d86b2171a9510785dece2149cd73a15e067
SHA256 fe008a8abd5d0c09f6a03e8dcccd754b8d1c73cd94802632c3424579161d8420
SHA512 d5ca6042b79cef634eb88a227d9d2ecfd6008be129fa93e340e21b3c33ba4cfa78a27972c7bb33d16c47339614fe89fa2981e62b6f289835036a6d217dc9464e

memory/5056-976-0x0000000000400000-0x000000000052C000-memory.dmp

memory/2632-978-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Config.Msi\e5853ea.rbs

MD5 fc8ebc6ef78560bd20578ff2c55478af
SHA1 04852d25f5928eca43b85fc3572a1e10981b34fd
SHA256 c7affa230dfd60eddeb1764a83ff231b468fb81416d2881e9000fc0612b95070
SHA512 1d8bd9c5914b8c2c75ef332b5e6740765b223a975359e8aa9d2444e0d1356708b1e3c63cd2f6fe1063d532404494a1dce24d04e7c3730e82d0d77d4f5616c1a5

memory/3156-1012-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3156-1020-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3304-1021-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1472-1024-0x00000000023F0000-0x0000000002E29000-memory.dmp

C:\ProgramData\FileCenter\Settings\POLData_Lock.tmp

MD5 724deba0ee02aa7ad576295d784b1230
SHA1 f4f36556c9babc24a278f5f2ddcce4bff6a64bc7
SHA256 a98ebebe7123b54822d1250f6264dd8d971e47d5cc718fac967d2dd2374365ac
SHA512 3855cea9f71c3905baa510a42cf397da2b9f4f27cd071246e72911e646d6f5ba93fb120cb1a2f4d3e6a73d3d5ec40afc6dfbfb9e495e9bb9a2296930b1702239

C:\ProgramData\FileCenter\Config.ini

MD5 4345ed95828ca70d5fbd8ded860a10ee
SHA1 d9285e7e8bd96d173b001fb3e09432ec70cbfeeb
SHA256 383b7c07e1a008fda90cf01d13640c7d3cbf9c909d595132407b5c4b8a4f30a4
SHA512 17e64dcf2762806aeb80defd107299d1e49dc7615a1a79743d56b90cdfc432a46abac4a1664e9fd554294dbd0015592fdd2b772205a8cc09254676e909fb6c35

C:\ProgramData\FileCenter\MyPortal.ini

MD5 8af40c2a9db1af603163ed8b0e25a3d0
SHA1 36db1a9baec9e7d6d17073529afff9df063e68d9
SHA256 64b92b073e9519d07676100c694c63207f45b561ce66594b8728eae023ba0705
SHA512 2662a09e1cd148cbb4ee1124e4fdac6561699f447c986992651ff8fb8e7d005803b74ce5c1bb65c6f916ab1407894fabd453735c10378a94d5c918b1fe66688d

memory/5016-1124-0x00000000003A0000-0x0000000000E36000-memory.dmp

memory/2412-1125-0x0000000001F90000-0x00000000029C9000-memory.dmp

C:\ProgramData\FileCenter\Logs\Hooks.txt

MD5 3b34ae042af8e64c34e77422a176a29b
SHA1 23f0482f630c577d18f05d9ea8993407ce1ec699
SHA256 38c455040d3dece6d66aa479e47a134b58c3f37019e7162f26dd0ea1a1072a79
SHA512 4b79d55c3d95102f99ecc48c40a49c3d7fbf07e733feb5ac3ecb0a34edb89103641b3bf4526432d88376649f01c19b540f84aa0e8fe99ecbebf528ea08e8606c

memory/1472-1148-0x00000000023F0000-0x0000000002E29000-memory.dmp

memory/1472-1147-0x0000000000450000-0x0000000001A66000-memory.dmp

memory/2412-1152-0x0000000001F90000-0x00000000029C9000-memory.dmp

memory/2412-1151-0x0000000000160000-0x00000000015A4000-memory.dmp

memory/1472-1153-0x0000000000450000-0x0000000001A66000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f2eb94e31cadfb6eb07e6bbe61ef7ae
SHA1 3f42b0d5a90408689e7f7941f8db72a67d5a2eab
SHA256 d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de
SHA512 9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d56e8f308a28ac4183257a7950ab5c89
SHA1 044969c58cef041a073c2d132fa66ccc1ee553fe
SHA256 0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae
SHA512 fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b27678bf062436f64fc34348e6952739
SHA1 2ab0fcaa2a4543f4228400b88be046673ad9f1ee
SHA256 bd82720573df79bd5a5d20004e7cb04709ff527b0446a0952a9c2c6332595d64
SHA512 7d20250211eae50f3598e30e46987f1c8ec24335c258bd647179e9177290910bbd86ba1b7ed000612fbd9ff47b7da8fd4fc0a38f3ecd1a7f26702848cc797011

C:\ProgramData\FileCenter\Intercepts.ini

MD5 5418c7c76ff879ef60229b2ae6a97e88
SHA1 c1388b68b6a6d62e8f5c949452e520c9066a499a
SHA256 fca75a353370c4b9f38cbb80c82e132d82b4a0d7a277aa5f19bbe2f21c592281
SHA512 370e3595e3f966a6218b734274b9a1f9643d9dc832ca157214a024967364711414fd0b07af7dac50e4fada1b02e352db428920dcf93b0e6e77bc16b8167acea9

memory/2908-1201-0x0000000001F00000-0x0000000002939000-memory.dmp

memory/1472-1204-0x0000000000450000-0x0000000001A66000-memory.dmp

memory/3364-1208-0x00007FFCF3390000-0x00007FFCF33A0000-memory.dmp

memory/3364-1210-0x00007FFCF3390000-0x00007FFCF33A0000-memory.dmp

memory/3364-1209-0x00007FFCF3390000-0x00007FFCF33A0000-memory.dmp

memory/3364-1211-0x00007FFCF3390000-0x00007FFCF33A0000-memory.dmp

memory/3364-1212-0x00007FFCF3390000-0x00007FFCF33A0000-memory.dmp

memory/3364-1213-0x00007FFCF09D0000-0x00007FFCF09E0000-memory.dmp

memory/3364-1215-0x00007FFCF09D0000-0x00007FFCF09E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 add56ec49f8f478e84a934606effef1c
SHA1 1262ae87ef755e40752740df90d21352d5fc81ec
SHA256 22e509cf2b7202fc6b04c3d9a1b137477f11471d58a48c1f9514f89450217327
SHA512 c095f193d221696f3b087c3f224a559ad0efe4852a5392c8a3ab03f80183beec2a8327892aa481c85f1bf8165b76a029555f250e0dd5f396c823feacff4c06f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9a7db279d3ea63cb34ad560dfed821d6
SHA1 3f8a07c0b05f248f7dae60e1331026abf2eaab01
SHA256 824d1f01bf4402fb2a36c8ba7a6e2e4912beeb343d1768e7266868f711d1abc5
SHA512 476fb92a99847337b76277fe3ab27e2b1afd6f936364698e73642c5d148fb107a90bc0209b82ad49d5854a1c91f37a2097a82d2d52557d9a9ded0e3f0051906b

memory/1472-1253-0x0000000000450000-0x0000000001A66000-memory.dmp

memory/2908-1256-0x0000000001F00000-0x0000000002939000-memory.dmp

memory/2908-1255-0x0000000000160000-0x00000000015A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 b491464a0d8bc9fec84107f3a04bb20b
SHA1 2ca3928a5a14276b923dd397ebd99e05c88e4993
SHA256 790854550e40d120dbfa3d2b7cc10caec3827e179312900860584e5c5e886f1c
SHA512 6dd4ee3f2f024ec24488b54e22847b948b73a4fe22b2df8e78452b17e4efe89b4b1f13738a4e7814a0bc4f4fb82f2808f9398b51d3cfe023e52bf34fcae95835

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 81f90f6db19b98e77ead5e003d050e79
SHA1 be9345c0a79c89c65d7cd7578d088b5c9d6c7e81
SHA256 bf99cb1a706cb134dc3f3a8987392addcc86848c321804599cce93f894c8704b
SHA512 aa360b096363c7751801be699c5cf853ec2c98d69054a80a922e3681c37124a86fd8e402dccb1b4ab4ae12ccf6190165a6250a88ee1b83ece1baf71a675b8b93