Malware Analysis Report

2024-09-11 16:41

Sample ID 240614-tbnnva1cqn
Target FileCenterSetup11 11.0.52.0.exe
SHA256 054986aec67c2880cec42fb6de4a84cfeeb061100adf848896f959d118868990
Tags
vidar discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

054986aec67c2880cec42fb6de4a84cfeeb061100adf848896f959d118868990

Threat Level: Known bad

The file FileCenterSetup11 11.0.52.0.exe was found to be: Known bad.

Malicious Activity Summary

vidar discovery persistence stealer

Vidar

Enumerates connected drives

Adds Run key to start application

Blocklisted process makes network request

Drops desktop.ini file(s)

Drops file in System32 directory

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Registers COM server for autorun

Loads dropped DLL

Checks installed software on the system

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Modifies registry class

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Kills process with taskkill

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 15:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 15:53

Reported

2024-06-14 16:39

Platform

win10v2004-20240611-en

Max time kernel

270s

Max time network

205s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe"

Signatures

Vidar

stealer vidar

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{be951518-e2b9-4247-8bad-83edab77d2db} = "\"C:\\ProgramData\\Package Cache\\{be951518-e2b9-4247-8bad-83edab77d2db}\\PDFXLite9.exe\" /burn.runonce" C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Windows\System32\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{1D5AEA50-1415-4096-BE11-4EF45A61285E}\.cr\PDFXLite9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File opened for modification C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File opened for modification C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterThumbs.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineTR.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsasian215.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.he-IL.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.sw-KE.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.zh-TW.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\is-OUKHE.tmp C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-1KRD3.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-3P54P.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.da-DK.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Tiff.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-EGIP0.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.gl-ES.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-64O87.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.de-DE.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.lt-LT.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\is-OD73B.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\x64\pxcpmL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.cs-CZ.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\is-RC4FJ.tmp C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterConnect.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsirisbarcodewrapper15.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Help\is-HPKAF.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Png.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-LA74Q.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-3AGLB.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.fr-FR.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrspdf15.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Help\is-BVV63.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-C43A1.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterReceipts.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-1DCVH.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\is-BJ9CT.tmp C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.image.gdimgplug.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-N963D.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-NFK2U.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateAgentEx.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-66P1G.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\DrvUI5.dll C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-EG2AO.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsdocout15.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-G3IBI.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\DTKBarReader.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-247DM.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.ru-RU.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.ru-RU.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\PXC50pm.dll C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterScanner.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAgent64.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\secman.dll.log C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsirisbarcodeextwrapper15.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-QF8OC.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\PrnInstaller.exe C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-BEFE1.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.az-Latn-AZ.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-LR9AD.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.hu-HU.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.ja-JP.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Tracker Software\PDF-XChange Lite\dinfo.dsf C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FcConvertData.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\Dlltwain.dll C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-D2027.tmp C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{99F0CAD1-7C91-4F99-8BA9-71E431EB13EA}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5897e6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C5F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E94.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{99F0CAD1-7C91-4F99-8BA9-71E431EB13EA}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9B82.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C10.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{99F0CAD1-7C91-4F99-8BA9-71E431EB13EA} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9DC8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5897ea.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5897e6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9A95.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9B32.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C00.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA21F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA349.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA3D7.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{82AEF2EE-01A9-4668-B742-FF759A129551}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFXLite9.exe N/A
N/A N/A C:\Windows\Temp\{1D5AEA50-1415-4096-BE11-4EF45A61285E}\.cr\PDFXLite9.exe N/A
N/A N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Temp\{82AEF2EE-01A9-4668-B742-FF759A129551}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{1D5AEA50-1415-4096-BE11-4EF45A61285E}\.cr\PDFXLite9.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\Class = "GdPicture14.GdPictureOCR" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.1.0.179\Class = "GdPicture14.LicenseManager" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\Class = "GdPicture14.GdViewer" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\14.1.0.179\Class = "GdPicture14.GdPictureOCR" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.1.0.179\Class = "GdPicture14.GdPictureImaging" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.1.0.179 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\Class = "GdPicture14.GdPictureDocumentConverter" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24DFB749-780D-41B4-9BE3-8894D202B944}\LocalServer32 C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\Class = "GdPicture14.BookmarksTree" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.1.0.179\Class = "GdPicture14.AnnotationManager" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.1.0.179\Class = "GdPicture14.GdViewer" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\Class = "GdPicture14.PDFReducerConfiguration" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\ = "C:\\Windows\\system32\\mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c49f428bb6d5aae20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c49f428b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c49f428b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc49f428b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c49f428b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40} C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe" C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\" C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{06052A56-664B-4437-8F8C-9D697D1720B8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0265291-1DFC-4377-B60D-7AE9CA536A73}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{97389195-9A4C-3EEF-9063-0ABEEB65F06E}\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEF47EFF-BB69-3277-96AB-06F377382D3E}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C9A72E44-53C5-394E-83E1-A6406BF35B0F}\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D36CCCB0-5288-3A4B-96B1-B492A9C168EA}\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dten600.JobErrorInfo.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53674462-76AA-41A3-A5A3-5241912E4222}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ED881CB-9DA1-4D56-94E6-5DDE88D5E844}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CBF041E8-7CFC-4389-9122-809AAA85BE8B}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B1D0FD-ABB9-40E8-AA06-3E499F135B49}\ProgID\ = "VintaSoft.Twain.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C11678C5-B6D8-4321-944C-ED576708886A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{539F514E-E675-4BE1-86DC-1E5A8E904636}\TypeLib\Version = "e.1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2A6CBE40-9229-33AF-87ED-AEEF61AB6F44}\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56169002-DDE6-3E69-B5A6-F822875A8F98}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{30645D45-CB8E-3F84-A0F7-939D4FB3C556}\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3862573D-5BFA-3850-ABBF-016FCCAF161F}\TypeLib\Version = "e.1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AEF95872-5108-3B21-945F-2AC999C690F9}\TypeLib\Version = "e.1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{757D1792-2ABC-3FDB-8D16-FB2D4CFD8C57} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{443882E6-D69C-4E94-A9A6-F2D6D856CC16} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9709CDB8-024E-3F23-8E49-657E60012D73}\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF2FFA17-1D52-38D2-8B6A-CEA4C426C891} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{697DF027-B24E-11D3-B57C-00105AA461D0}\ = "FileConverter Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BB3E2D5-EC9F-468F-834C-4CEC84FB2325}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{664D5B33-C2CC-4D66-94F8-E8E11FA39242}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76F6C77B-0FFF-43F5-8DE3-0715163D80DD}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95ABC066-9919-4571-8387-7A7CFB5FAEEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97AC7381-9417-323E-8AAE-234B95A6157B}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{701DB470-B5AE-441C-B0DD-30EB08295310}\ = "IPXV_PagesRegions" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0A0E07E4-2B9B-3FA5-B0B3-E68FCB24E73F} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AEF95872-5108-3B21-945F-2AC999C690F9}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A967E5C4-B0E1-11D3-B57C-00105AA461D0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4F0EAD1-C256-40AD-9CCF-B9CD8872EC9A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9BC27C16-F681-4800-9135-6572B6DCDA7A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9776114E-70C3-3EE4-B62F-4817230551DF}\TypeLib\Version = "e.1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{93693148-E57D-39F7-9315-3881783F12BD}\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5AC7BA5F-0930-4D65-BE1C-06958D73B96F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{209EE7F1-1F4F-49EE-9F26-01D7118E48D1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5209D70B-F745-4442-A65E-C84161C8DBFE}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E18E8434-3DF3-4A20-BFDC-F1F5272F162E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C5BB3E9-6AFE-4894-BA80-5B774BE40011}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D14D8C84-A4A9-4CC4-AD61-441F949A360A}\ = "IPXV_FormFieldsList" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DA36BE4-B5F2-4B33-9D8C-72593FEBDF99}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GdPicture14.GdPicturePDF\CLSID C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E1B767DC-FD11-3C0F-827A-CCD1028D6A64}\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B1CB5B5-8FC9-426B-B0D0-42BCADFE3935}\ = "IFlag" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F3AF5ED-2318-4412-8EAD-758ACE549097}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0F41E67F-3AA5-3547-8841-142340C85844}\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\FileCenter.exe\shell\open\command\ = "\"C:\\Program Files (x86)\\FileCenter\\Main\\FileCenter.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75751C77-316F-447E-BA46-79F098261F6E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9709CDB8-024E-3F23-8E49-657E60012D73}\14.1.0.179 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3980AEA7-BD2A-4CB0-8826-8C9DEE1DF1A6}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CD8E0DB-0C08-4797-A518-34BDF033D11F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BB3E2D5-EC9F-468F-834C-4CEC84FB2325} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF67F023-1C25-481D-8EE2-D522FC578CC5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CD00BD8-331B-42A2-AEFB-B5F031FD69A1}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B6E58A1F-0605-33D3-9605-9EB516A173EE} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE3700AE-86F3-37A8-A2C8-8C0AA17E55E0}\TypeLib\Version = "e.1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{886A40F5-7B25-3959-A8F1-1861AE1B9AD5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp
PID 780 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp
PID 780 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp
PID 4748 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4748 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4748 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4748 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4748 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4748 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4748 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4748 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4748 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4324 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4324 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4748 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4748 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4748 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe
PID 4072 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4072 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4748 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 4748 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 4748 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 4064 wrote to memory of 428 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4064 wrote to memory of 428 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4064 wrote to memory of 428 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4064 wrote to memory of 2068 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp" /SL5="$F0182,299742059,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe" -CLOSEALL

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe" -INSTBEG

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart

C:\Windows\Temp\{82AEF2EE-01A9-4668-B742-FF759A129551}\.cr\vc_redist.x86.exe

"C:\Windows\Temp\{82AEF2EE-01A9-4668-B742-FF759A129551}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite9.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite9.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Temp\{1D5AEA50-1415-4096-BE11-4EF45A61285E}\.cr\PDFXLite9.exe

"C:\Windows\Temp\{1D5AEA50-1415-4096-BE11-4EF45A61285E}\.cr\PDFXLite9.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite9.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe

"C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.be\PDFXLite9.exe" -q -burn.elevated BurnPipe.{FD380540-D821-4F0A-8177-965A59B110D0} {A6379FC9-DCE9-450B-96A6-83155A474D95} 4992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding F900AED27FC7970450177979F4B59484

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 4B8A84BEF78C7FA7404BB502426728A9 E Global\MSI0000

C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER

C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp

"C:\Users\Admin\AppData\Local\Temp\is-48I9C.tmp\PDFX5SA_sm.tmp" /SL5="$70246,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer

C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe

"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/780-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/780-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-6QLHN.tmp\FileCenterSetup11 11.0.52.0.tmp

MD5 985b35113f235669f1a6d68433f132aa
SHA1 63319f30be98d8f5ea9ac7645bea9988c7112a51
SHA256 1f94904366c055954741adbc6fd82673f452b153146aa68ebf4f47aeb8d085e6
SHA512 f33e2de4a24a6a416e01df903fe3c4b9fa94faaf0d7604917debe6faf01ddd1c57a1e3170daf1c10d7a9d10942f2ba908ff468e7a2b11612bf40713f3855d720

memory/4748-6-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SMUP3.tmp\FileCenterUtils.exe

MD5 090147e5e63cc87a989ba332353182f8
SHA1 ca9898e1a0ec45c136c96ab615055649998658b8
SHA256 1b8eb3a167ef9c44bbab4e0d7713ebef5b6235de706f77afbde71ee966ba9427
SHA512 6543968ccac2d5fcbeb25d95474af20652a53942abc37677fa175c678f21e40cb0bb99faed8df85fbccbed392e60593428ec75159a00af69f14433a1a2758c81

memory/4700-12-0x0000000004F60000-0x0000000004F61000-memory.dmp

memory/4700-15-0x0000000000990000-0x000000000137B000-memory.dmp

memory/780-16-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4748-17-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4748-19-0x0000000000400000-0x000000000071A000-memory.dmp

C:\ProgramData\FileCenter\Settings-Custom.ini

MD5 df52ebded07c056234a08cf117191512
SHA1 4b9ac08ff667316a4fc882f278661f9eb9bda183
SHA256 2737f18fad469c3ced629d3eb6ce4cb2ded4d0b0b4639ca8eb3087924458b7ee
SHA512 481cb38200c9bb1981113469517dfc5e782108e6c3b7889d24c6e5eddf89a738a14ba0fb0db8e568529f784497f879e7bbad3e07a25add77341ac23344413587

memory/4696-22-0x0000000000990000-0x000000000137B000-memory.dmp

memory/4324-25-0x0000000000990000-0x000000000137B000-memory.dmp

memory/4072-27-0x0000000000990000-0x000000000137B000-memory.dmp

memory/4748-37-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4748-105-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4748-343-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe

MD5 6f25bb9dc8d1ab306f8b194aaea30362
SHA1 1b460b5924fd50d538d20523a3005fb98c41beb2
SHA256 2ec8367847328de772c3881d029ac0a7589e8911c49af7bc2f4810d8e8a58a09
SHA512 5c3caba4b60dd0fe1a227127ceecd1bb2d6422291ec2ba9daa89be567de6dee4d580afb584140d8c58d051c382a53e93a9969c29c6ca09077b861ae6902b61e9

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

MD5 9d7083706bacdec714582c6424952f5b
SHA1 34aa3e56d55b45bf533fb32277f74f72e7e9c892
SHA256 114d10c40377fe3288d1d4bb4d8fe1e04054ba9ac1e798f85489100489255b84
SHA512 a1a5dcc2eccf2350e81e11bbf1f1af27d126d13181b110a419e79e4cc03c56747dfb65cd96e6d8a728686de3b3240303d07e730cc0081275754e04c830952e80

C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll

MD5 47b0dd8a0c43a21b67f88922b040e1df
SHA1 f133a0d2383042b9ac9b25844c85cc2d693ec31f
SHA256 c67f53f74891be08e3d4fac6f6ec316e0d575cbda1416585af6bb53a59f5a917
SHA512 2434e4a1dfb6dd9421675eaa5938f355abdcb44c7d3e376bd61cf7f663511765b15206510ba9b78021345c231bf1e56a0317432f83ffbd2fd493c14c0471a668

C:\Program Files (x86)\FileCenter\Main\dten600.dll

MD5 ced6f9ca56a3946dc1cb4593d0532b25
SHA1 5f4bf602e229b874d6b92a66f605b0ac9363824f
SHA256 1fc8c68e33326ffa58aaaa5970d22ac130d8cc374be5afd105898d23b178ef3c
SHA512 a29b730050fb5e168c00e92aca2c0238db2f6fac2d3a6a1e926b9c02421672db5a9a2c3d56637e882fc045bbf85e2475cc452988bf2bea71520c6fd08d1e0ad1

memory/4876-542-0x0000000010000000-0x00000000101C8000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll

MD5 67ce59f916d43a646960d2bca8ecf3be
SHA1 b54acb22683a011638c51255af34754c6b3c7c34
SHA256 dcc2a49afbdf1c9b0cc508fd1fb3279199d3dd539c4a975c210f8e3391ffe3a7
SHA512 0b68e10890516cab69158deef51fc380dbb2a8bc46e03c68cf9bf44527382111ad79956caa44386345070c35e04918d3c41c1cbb65fa2951d6b6f2525dbbd3fe

C:\Program Files (x86)\FileCenter\Main\secman.dll

MD5 085d87f49daf13496e0e018c4008fae6
SHA1 4b0c3058b8ace7e8242c941b449daa968f5b45c7
SHA256 d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15
SHA512 52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

memory/2068-549-0x0000000000B10000-0x0000000000B18000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini

MD5 70da425f8aac14b1484047edb83e60e8
SHA1 69d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256 258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512 a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

C:\Program Files (x86)\FileCenter\Main\VSTwain.dll

MD5 13f5f7e228ce2b8a3a41dbad4e451279
SHA1 1b3837572602b2620b75bf2ad2aeab89a64f5287
SHA256 11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292
SHA512 24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

C:\Program Files (x86)\FileCenter\Main\lbvProt.dll

MD5 4a684bdbf4efa78f37c0bba41f442dbb
SHA1 b3c185c099d0ce8b89bd0d2342115934cf7d862d
SHA256 ada272bac884ac071c1936335bd32ec5f6853cc4eb6f58f5ed36bd0438c35c47
SHA512 e463801843540b6bcee526f8053d1dfbc62bdf7a1b27c4238852aad2f8e41161f38c6ab4d85a7bccf1e0cf0525ea83201547b23f4a2d977d557d2203d5471104

memory/3160-550-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

MD5 35b40b21383ac38487ceec8ab6e53565
SHA1 59894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256 caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA512 3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll

MD5 925b98fec7a03a47f4798169f9bf6ced
SHA1 45eb030dd64ddfa03297f11721437094d6622dd3
SHA256 0a726fb5a10885eeaabc7321970d90d36d1ab03d83258f2b21f0a511d143ecb0
SHA512 ecfd01f15e8b57d9f44ee1eea311a3f9b7d825175f3cffb9b66e7ffce7da0cd2e0acb444cacdf77a4b552ab67900f1e87cb0f8aca0aa8eac295fa79a5cb1d6ef

C:\Windows\Temp\{82AEF2EE-01A9-4668-B742-FF759A129551}\.cr\vc_redist.x86.exe

MD5 86123c033231dd7e427d619ddeefd26a
SHA1 608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256 d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512 ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

MD5 26be6baab6fb50dfe1fea06047506e44
SHA1 636ea999d9df27e4869740219653f405d1a1ab41
SHA256 38c57947b6e6935d88f8c6ee39fb254b60897e98d5de2b1497ba719a17970d7d
SHA512 d12139b81d86ad1977e8cb3d87d90491785c5ca4856415a8fd0ff38dfbfb8005a2d3be3fc8aa95b3d3a52cd21abb2cb3bf26e518a24d4312c7ed2c339e8da44e

memory/3160-565-0x0000000007750000-0x00000000092B0000-memory.dmp

C:\Windows\Temp\{E54E870E-0F27-4D40-BC3C-A69B51CC55FD}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{E54E870E-0F27-4D40-BC3C-A69B51CC55FD}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

memory/3160-648-0x0000000005E70000-0x0000000005F02000-memory.dmp

C:\ProgramData\FileCenter\Config.ini

MD5 b2ad8f8dcc45644ea167317d050faac4
SHA1 215091d6ad9d4f210b85e675b17c60a7300ca9b1
SHA256 9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0
SHA512 528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

memory/4048-646-0x0000000000210000-0x00000000009C5000-memory.dmp

memory/3160-647-0x0000000006310000-0x00000000068B4000-memory.dmp

memory/4064-650-0x0000000000910000-0x00000000012FB000-memory.dmp

memory/3160-652-0x0000000006EE0000-0x00000000074F8000-memory.dmp

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite9.exe

MD5 8c80b491d533a8390ef6bbc8a4608a52
SHA1 6033602b504a3e43dc045b6e44f935e58cebae30
SHA256 3e22eee0ff6387ef536e10d7f0383653accaa71cec95567427b41dd5374b3ad7
SHA512 db9d9b312aab799d64ea338ac85d956ef3ff6e9b8b7153c2c1cea8a602c6750157478059d38fe82e38b07bbeb18b31fb478d281f862f0ee2d2aa965f6c2c9ad3

C:\Windows\Temp\{1D5AEA50-1415-4096-BE11-4EF45A61285E}\.cr\PDFXLite9.exe

MD5 b75d36319717de2fb88f45ff007fca8d
SHA1 b7c79e5c0c2df9917ac086dbc11a8e3c1d8fdd53
SHA256 1a1796cf00874d5447988e71ef66fdab3bbea27e7c0f6326b9545a5363113137
SHA512 092dd3bddec95dd320d124257c3dd23a18dc7f6609cd81891f50dd6a1b7c67837a1c183512d319a3372389807a946aa37bf43dea75ec2fb58beba8b21fae4cb5

memory/3160-657-0x0000000006C10000-0x0000000006C32000-memory.dmp

C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.ba\wixstdba.dll

MD5 0ba387d66175c20452de372f8dbb79fe
SHA1 5411d41a7d88291b97fb9573eb6448c72e773b70
SHA256 7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33
SHA512 13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\.ba\logo.png

MD5 04967ef5107480ea36b3e2e97af7eb7a
SHA1 6efdd4484dcfcfd45b3c887c852f0abb1a02a645
SHA256 63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21
SHA512 00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlb

MD5 c57b6465357985f32d0936dd09eff4ee
SHA1 2a4f39124b58afdff57bc2daa538dcfce72069c8
SHA256 660bd4dbfe5bb5159c02ecd8e25752c3956c83ba6845ab671847181c6f50b409
SHA512 70e20cab4b4a73c85d2ccaf90793499f4367dff5df61e5569ce195a23e1aa8f016e0fb03162c294f70936db0044cabfa06110393900e20f584fdb049072fc42a

memory/456-690-0x000001D512C50000-0x000001D512C60000-memory.dmp

memory/456-691-0x000001D52EEA0000-0x000001D530A00000-memory.dmp

memory/4748-693-0x0000000000400000-0x000000000071A000-memory.dmp

memory/456-694-0x000001D5130A0000-0x000001D5130C2000-memory.dmp

memory/3940-700-0x0000000000910000-0x00000000012FB000-memory.dmp

C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\PkgLite64

MD5 2886ad1511893e6f33127ce43f996c5d
SHA1 d97b440157d6a064434efb17107c27b088e63119
SHA256 33125f70fd2cb4b7a3647652905f7ab619d83b9500384a1df125a520eb71ebed
SHA512 5f5e2e701cedb2d47d245e6d987a772719bb727105e862834d516bdc09f00d708c54e23bba14271c91c636601d4c04566ba885c47a0cd08b6e327cb9730f020d

C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\cab5DD1590118F3640F385DB3EB2F516E5C

MD5 62982be8404172798c180e9f6fd2302e
SHA1 18af2866e5655dce26f09aba48714e57e9a3b3b5
SHA256 84522651be2b244b53c8cadadb9abb11418c2b4daef42786ab80367f1155e65e
SHA512 3ea5d4aecfe07258da49dd1df4cf175c08e33a509a68743bc18f9c770137c06220808a128d6d3637515ce878e84b66a9b84289b3eb37cf49971ca1d8f4e72b18

C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\cab20036D21E40418DD3280D692958B9275

MD5 4510e6c8c033bcf9d0d1b35e0637ea16
SHA1 28e83a26f545f7266697392b4583b734000d4b4a
SHA256 32ce28315c08cc4bdc95d5cc5896c33904faecf10363b94ae5b3b4fc9bcfa9fc
SHA512 021712198f6d56e19f51593e578699544234afe00342efbae1339f209def1d5f890a9d09442f5a09efa001362a99d411d15c4454d47a2570054b5f236c306a5e

C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\cab8D36E281ACA51D7FBE9AB973BE9B36E3

MD5 dff2df55d0d52211bd0e873ae9c3a696
SHA1 49def2f68992d24cfa77002284ca2616726f11a9
SHA256 06a036bc395e12c0121e79017866f0b72fe8db8bc55ce601d898144e3edf55dc
SHA512 ce4e9bcbe90182281694fc0b6256cf51a3a91cbb42ecf16422443a158d77730e809f2e105f20d234d314a32ad6acf6016bb261e55b1ed34ea998f7216ff551a2

C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\cab66549ACD4EE6139A64068CA8626575A9

MD5 55627f00c552a612bedfb69e069e08d2
SHA1 d58519e3ec31c1fa02d46708d434aa1f3bfcfcf2
SHA256 f6dd3050132de914a40625c3ea82b246a1e781f3bcdeecbc4241e017aa38d808
SHA512 5df5493eced3645a118a60534a94139498c2a07f4d8ea7af335d63576efdf0737a65e4c658def80ef8c7d09a87d838b2f101c4eb5c9429dd0cc74f029e174fd3

C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\cab293E212B151FCAC5768C99D66AA8D9AE

MD5 394b5546caa92497fba09269acd0582d
SHA1 f71b39be99a319a32dd94d85e1d9fac021a7c670
SHA256 5b6baae7cef642f2d77f13e8335f4486dbb50f22f382fe915864a0cce2d4d22b
SHA512 f45ba65fedb2e46b6748b996d82a64534437935eae7c00f37468a9d23c7a3e5c3190e3f3208963ad39f9e416861999f1fb534f0cdead4834ab9aad851fd432f8

C:\Windows\Temp\{624E923F-AC82-4866-9EF5-9CACC4E27E2D}\cab20F2A2993791BDD97B003B5578C7EAC7

MD5 647218104e6cdea409ccdd776c11163c
SHA1 d8424c388557c0ee6a4b1e63f63a26084207fd3c
SHA256 ec4506ba42d24229dc029f855827b8aebf57c9fac80ba42ae33d2bd4c98bd002
SHA512 aced722731da8f22b8794526a490776cf61b5652c15436ca1d5cc6a2bb8f94417908241ccb7fa8b5468cbde18f67652d9e1e4efef26d4820ee553921d95afa67

C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txt

MD5 0c0858946d3ed0e56fe1782b86eeceec
SHA1 a59da97d4bbffff982732e76984e97383d0651cb
SHA256 a6f5b2b297d825970d1a1d7bb4a342bd2c9a3c66cb4dc58bf3e715637cb84ae5
SHA512 9d425716cfd2cf93df34077710da9e5922628cab53de7f5bccbcd0eaafbd1144f3469d1e21b69046dd1318dcd8cae986ad9e3789e3580defbc96b49848537640

C:\Windows\Installer\MSI9A95.tmp

MD5 6222d3af4c822d424a867862e8bef079
SHA1 b1b064ddd5f97c42fd7ce876eb4834d6940c8798
SHA256 63d4a615e2eb7796628fff89aefc97e8d1bdc5f190bd54326638f5d1fa55a830
SHA512 1499c2df773262182415570890aaa96b99fff0090a9932cf11686f4871e1792fe9f0601416ee53a5c86a7b4e1cd376fae04348f0b4e7597ef1a8a13139306691

C:\Users\Admin\AppData\Local\Temp\prnInstaller.log

MD5 ff5748ec2e9a26250eaf8ac5d0902ca0
SHA1 7ecef28d0ecbe0cbd9deb5ac7c0db8c646ece571
SHA256 ff921563c148a1ce99ee02d09af3e24aff06178ca1816544c564086c7918a180
SHA512 e54688e321427af6601e5b2bb97d6200e0b3ec0f053030f22ffe1d1a76429c0d4eab486a89277c2d106b3ce1c8fe03f987a8565b8b0eca15e8d7a5a5f6fea334

C:\Config.Msi\e5897e9.rbs

MD5 f54279d571600f89b8dcd2b374c87685
SHA1 d100b733d771eeee9cd8f4aee82275ea587cbf97
SHA256 fd6ff0b931935d3a4ba8f0d07f527ec717bf84b6f0e6d185bd5d8b837aa621f1
SHA512 796ef251f8bc2155c9ea4316a4b9bb8e8de21145861c463a605196827faa4debab887e1f7e60a0ad0ee40c4c0407bdbc54a098f3662ac8efd8c87378e3600479

memory/3940-942-0x0000000000910000-0x00000000012FB000-memory.dmp

memory/3344-943-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5104-947-0x0000000000910000-0x00000000012FB000-memory.dmp

C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll

MD5 2fbf69d014ae135d473ec8243d44be9e
SHA1 2c28d3b23d8ff061ae554ccd92aec93900e3cb2b
SHA256 6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3
SHA512 530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

memory/1976-1004-0x0000000000400000-0x000000000052C000-memory.dmp

memory/3344-1005-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4748-1007-0x0000000000400000-0x000000000071A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 15:53

Reported

2024-06-14 16:41

Platform

win11-20240611-en

Max time kernel

351s

Max time network

348s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{be951518-e2b9-4247-8bad-83edab77d2db} = "\"C:\\ProgramData\\Package Cache\\{be951518-e2b9-4247-8bad-83edab77d2db}\\PDFXLite9.exe\" /burn.runonce" C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Windows\System32\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File opened for modification C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File opened for modification C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.gl-ES.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.hu-HU.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.sl-SI.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-N25VH.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-9OUNH.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-D9V1Q.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-568C4.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Help\is-DME72.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-KVMFJ.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.hr-HR.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\is-RRK7A.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-P2U93.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-2F6U7.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\DrvUI5.dll C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Tips\is-G66KO.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-KR0CU.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Help\is-1H8O4.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-0NFBB.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Tips\is-OR51K.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-HOFU7.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-KI0QO.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Drivers\is-L155N.tmp C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsjpeg15.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Help\is-18CHL.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAdmin.exe C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.id-ID.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-NFTHA.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.zh-TW.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\lbvProt.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsjbig215.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.de-DE.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Tracker Software\PDF-XChange Lite\dinfo.dsf C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\VSTwain.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\secman64.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\pxcdrv.xml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\is-BVA2L.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-7HUK6.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-EQFA9.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Uninstall\FileCenter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Jpeg.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-OG8HG.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.zh-CN.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\Eztwain4.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Tips\is-TJ64L.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-J5I2C.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.ko-KR.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.fr-FR.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\is-555PO.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-AH0C7.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\dten600.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-H83LS.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-6MFUH.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.fr-FR.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.image.gdimgplug.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateAgentEx.exe C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-3DBVP.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.fi-FI.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\xccdx40.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsocr15.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.fi-FI.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\Perceptive.DocumentFilters.dll C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-AEQF5.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-T7V7M.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-49MB8.tmp C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIA017.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9CF3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D55.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9F6A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{99F0CAD1-7C91-4F99-8BA9-71E431EB13EA}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA652.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA8B4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5c9998.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D66.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D33.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D34.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9D44.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA932.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5c9998.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF24236D9508BE9286.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF9932ACD91CEE25EB.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{99F0CAD1-7C91-4F99-8BA9-71E431EB13EA}\AppIco C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5c999c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF3E73C47AB44EF1F3.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4DAD0BD2712EFA5A.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{99F0CAD1-7C91-4F99-8BA9-71E431EB13EA} C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{E19D9779-2F5A-4C38-8F9C-6B2CD35F9C01}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFXLite9.exe N/A
N/A N/A C:\Windows\Temp\{B3B4A728-ED5F-4A12-988F-FACA6FE38FE9}\.cr\PDFXLite9.exe N/A
N/A N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Temp\{E19D9779-2F5A-4C38-8F9C-6B2CD35F9C01}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{B3B4A728-ED5F-4A12-988F-FACA6FE38FE9}\.cr\PDFXLite9.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.1.0.179\Class = "GdPicture14.GdPicturePDFReducer" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\Class = "GdPicture14.GdPictureDocumentConverter" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.1.0.179 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.1.0.179\Class = "GdPicture14.GdPictureDocumentUtilities" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DF179B8-96F1-4F3E-9338-DFEEB61B810A}\LocalServer32\ = "\"C:\\Program Files\\Tracker Software\\Update\\TrackerUpdate.exe\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\WOW6432Node\CLSID\{021BDF87-EEFB-4384-9183-F8170E3DC459}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\Class = "GdPicture14.ThumbnailEx" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.1.0.179 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\Class = "GdPicture14.LicenseManager" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.1.0.179 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.1.0.179 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.1.0.179 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\14.1.0.179 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\Class = "GdPicture14.GdPictureDocumentUtilities" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.1.0.179\Class = "GdPicture14.GdPictureImaging" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.1.0.179 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002d32c3174d432a560000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002d32c3170000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002d32c317000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2d32c317000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002d32c31700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40} C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe" C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\" C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08718A37-1C72-3F52-87EA-C89F0FEA6DD2} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{32D44884-99CC-3154-9F83-788F6C375F49}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B420703D-319C-33B1-B101-F9EB47316231}\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C4B98F4-8043-47D2-BF47-38D9D7EFAAC8}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9DCA6E8-8C23-4765-8305-C58DEF3E27E0}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70026DA6-0CB8-4F47-8789-5DEF9F2BC4A1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C4D1C174-2404-38E0-841F-F6474A16250E}\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A79755A3-8507-48EE-A616-611BB01CF94B}\ = "IGdPictureDocumentUtilities" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7AE9EC0D-461F-3A88-9BAF-FE284C29099F}\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B27E7FF-6279-49DA-AE6B-8E13AD665B1F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2AAC138-7C1A-4152-BA03-A323B908D72F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7ED881CB-9DA1-4D56-94E6-5DDE88D5E844}\ = "IPXV_PDFNamedDestsSelection" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{32D44884-99CC-3154-9F83-788F6C375F49}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F81C2131-65C0-3E5B-88CC-310F5F73773E}\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B1C806E-791F-4D81-AD28-28C84A7F9626}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8CD00BD8-331B-42A2-AEFB-B5F031FD69A1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4426E5E7-731E-3834-BF42-5D2FFA357E1E}\14.1.0.179\Class = "GdPicture14.PdfTextDecorationStyle" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A79755A3-8507-48EE-A616-611BB01CF94B}\ = "IGdPictureDocumentUtilities" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DEF6A2E-AE0C-33DB-907D-F5C2153DE192}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB7399B9-914D-3C44-92A1-D3D8E9E0E0B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22B41BDF-FCC9-34BE-8E81-1E1DD84BC918}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2BED1B3D-33D6-3C4A-BB2D-DD32BB9CE79E}\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D5F404-EDB5-400C-92CD-4DD4180C13BB}\ = "IUIX_List" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F6C77B-0FFF-43F5-8DE3-0715163D80DD}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{67F52255-7F63-3886-8B4F-2CE58BE5791A}\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69CD38B0-3CA1-48D3-B1AA-21EBB9C78932}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75738A39-DE0A-3278-A2A6-44414D88375A} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1F49B42A-C265-37E2-9047-9A757A48A359}\14.1.0.179\Class = "GdPicture14.PdfColorSpace" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0425FA11-3762-3F0D-B044-833385D423F5} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5033D8D5-1C10-3359-B2AE-5B1B28D1A0BD}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84B23B1A-25E5-46A4-90ED-E4C8B678F535}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68983D9D-21E5-4A11-9928-74C284E8059A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\ProgId C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{426B5317-D5C9-411D-A518-E026C137E3F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B12F8F5E-D424-40F7-91DA-9BE02520AAA9}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96B2AE5F-BFDE-426A-A8C5-A7489C64F0C0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BB3E2D5-EC9F-468F-834C-4CEC84FB2325}\ = "IUIX_InputFocusMonitor" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{991CD238-DF9A-3919-A245-0A668FAA979F}\14.1.0.179 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{85E1A04C-131E-3B22-B32E-AEBFA3807D8E}\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12A9C2C4-700D-3621-BF41-CA4109FB648A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{211AAF91-E97A-454C-9669-EDAEC904E16D}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4F8F66C-8F08-33CE-AEF2-AC3B0E8B9EFD}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C4FF719C-55CE-3E18-BA78-66C46023E9B2}\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53674462-76AA-41A3-A5A3-5241912E4222}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CED0F57-B96A-4CF2-83B8-130E544A2644}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A17E454-5D3A-3D52-A777-81B2A7E22CE6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF68A980-B679-48CF-ADF3-951AD4BD343B}\ = "IPXC_DocSrcInfo" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4219B55E-27E5-349C-8935-4608241AC1DB}\14.1.0.179\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{71F37A4F-596B-3E78-A0F7-2158335CC8DD}\14.1.0.179\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{32396BA9-AE47-3B2B-93E0-A968D7D41BF3}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C5A57C2-81CA-4F69-BC52-A86F244934AF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B94E5692-E801-32EB-866F-74C73E0F5DCE}\14.1.0.179 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7531ACC-4D30-3648-A313-E0918DEF364B}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9B0E3A81-9172-3E58-BEF4-A542D346CF39}\14.1.0.179\Assembly = "GdPicture.NET.14, Version=14.1.0.179, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C6E22F-8BE0-454F-9BEB-0AA6BAD031D0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C341E89-9DC0-4DDA-94D1-BE06A410FC14}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF79EF22-544F-4E0B-8557-57A7950A507C}\ = "IThumbnailEx" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{146A78C6-C6F0-3A13-A4E2-0F2DDF535EAC}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FECBB317-0A10-475D-886A-1345F764D242}\ = "IUIX_Spin" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3980AEA7-BD2A-4CB0-8826-8C9DEE1DF1A6}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp
PID 2792 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp
PID 2792 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp
PID 1200 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 1200 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 1200 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 1200 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 1200 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 1200 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 1200 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 1200 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 1200 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 4936 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4936 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1200 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 1200 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 1200 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe
PID 2500 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2500 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1200 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 1200 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 1200 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 4568 wrote to memory of 5048 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4568 wrote to memory of 5048 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4568 wrote to memory of 5048 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4568 wrote to memory of 3708 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp" /SL5="$4021A,299742059,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup11 11.0.52.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe" -CLOSEALL

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe" -INSTBEG

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart

C:\Windows\Temp\{E19D9779-2F5A-4C38-8F9C-6B2CD35F9C01}\.cr\vc_redist.x86.exe

"C:\Windows\Temp\{E19D9779-2F5A-4C38-8F9C-6B2CD35F9C01}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /install /quiet /norestart

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite9.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite9.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb

C:\Windows\Temp\{B3B4A728-ED5F-4A12-988F-FACA6FE38FE9}\.cr\PDFXLite9.exe

"C:\Windows\Temp\{B3B4A728-ED5F-4A12-988F-FACA6FE38FE9}\.cr\PDFXLite9.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite9.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe

"C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.be\PDFXLite9.exe" -q -burn.elevated BurnPipe.{A9733F22-9B43-408E-B01C-B682D4DF8CAA} {A6BD67A0-246D-427A-856C-21000F7FFE90} 352

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 95A8AD7A2551A88E8A087A9EF988BADF

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding B2A9A8680053C6C0B3F417FB57354D93 E Global\MSI0000

C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER

C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FGIDR.tmp\PDFX5SA_sm.tmp" /SL5="$50286,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer

C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe

"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2792-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2792-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M0F5H.tmp\FileCenterSetup11 11.0.52.0.tmp

MD5 985b35113f235669f1a6d68433f132aa
SHA1 63319f30be98d8f5ea9ac7645bea9988c7112a51
SHA256 1f94904366c055954741adbc6fd82673f452b153146aa68ebf4f47aeb8d085e6
SHA512 f33e2de4a24a6a416e01df903fe3c4b9fa94faaf0d7604917debe6faf01ddd1c57a1e3170daf1c10d7a9d10942f2ba908ff468e7a2b11612bf40713f3855d720

memory/1200-6-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M2APD.tmp\FileCenterUtils.exe

MD5 090147e5e63cc87a989ba332353182f8
SHA1 ca9898e1a0ec45c136c96ab615055649998658b8
SHA256 1b8eb3a167ef9c44bbab4e0d7713ebef5b6235de706f77afbde71ee966ba9427
SHA512 6543968ccac2d5fcbeb25d95474af20652a53942abc37677fa175c678f21e40cb0bb99faed8df85fbccbed392e60593428ec75159a00af69f14433a1a2758c81

memory/3492-14-0x0000000000230000-0x0000000000C1B000-memory.dmp

memory/3492-16-0x0000000000230000-0x0000000000C1B000-memory.dmp

memory/2792-17-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1200-18-0x0000000000400000-0x000000000071A000-memory.dmp

memory/1200-24-0x0000000000400000-0x000000000071A000-memory.dmp

C:\ProgramData\FileCenter\Settings-Custom.ini

MD5 df52ebded07c056234a08cf117191512
SHA1 4b9ac08ff667316a4fc882f278661f9eb9bda183
SHA256 2737f18fad469c3ced629d3eb6ce4cb2ded4d0b0b4639ca8eb3087924458b7ee
SHA512 481cb38200c9bb1981113469517dfc5e782108e6c3b7889d24c6e5eddf89a738a14ba0fb0db8e568529f784497f879e7bbad3e07a25add77341ac23344413587

memory/1856-27-0x0000000000230000-0x0000000000C1B000-memory.dmp

memory/1200-29-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4936-75-0x0000000000230000-0x0000000000C1B000-memory.dmp

memory/2500-77-0x0000000000230000-0x0000000000C1B000-memory.dmp

memory/1200-88-0x0000000000400000-0x000000000071A000-memory.dmp

memory/1200-206-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe

MD5 6f25bb9dc8d1ab306f8b194aaea30362
SHA1 1b460b5924fd50d538d20523a3005fb98c41beb2
SHA256 2ec8367847328de772c3881d029ac0a7589e8911c49af7bc2f4810d8e8a58a09
SHA512 5c3caba4b60dd0fe1a227127ceecd1bb2d6422291ec2ba9daa89be567de6dee4d580afb584140d8c58d051c382a53e93a9969c29c6ca09077b861ae6902b61e9

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

MD5 9d7083706bacdec714582c6424952f5b
SHA1 34aa3e56d55b45bf533fb32277f74f72e7e9c892
SHA256 114d10c40377fe3288d1d4bb4d8fe1e04054ba9ac1e798f85489100489255b84
SHA512 a1a5dcc2eccf2350e81e11bbf1f1af27d126d13181b110a419e79e4cc03c56747dfb65cd96e6d8a728686de3b3240303d07e730cc0081275754e04c830952e80

C:\Program Files (x86)\FileCenter\Main\dten600.dll

MD5 ced6f9ca56a3946dc1cb4593d0532b25
SHA1 5f4bf602e229b874d6b92a66f605b0ac9363824f
SHA256 1fc8c68e33326ffa58aaaa5970d22ac130d8cc374be5afd105898d23b178ef3c
SHA512 a29b730050fb5e168c00e92aca2c0238db2f6fac2d3a6a1e926b9c02421672db5a9a2c3d56637e882fc045bbf85e2475cc452988bf2bea71520c6fd08d1e0ad1

C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll

MD5 47b0dd8a0c43a21b67f88922b040e1df
SHA1 f133a0d2383042b9ac9b25844c85cc2d693ec31f
SHA256 c67f53f74891be08e3d4fac6f6ec316e0d575cbda1416585af6bb53a59f5a917
SHA512 2434e4a1dfb6dd9421675eaa5938f355abdcb44c7d3e376bd61cf7f663511765b15206510ba9b78021345c231bf1e56a0317432f83ffbd2fd493c14c0471a668

C:\Program Files (x86)\FileCenter\Main\lbvProt.dll

MD5 4a684bdbf4efa78f37c0bba41f442dbb
SHA1 b3c185c099d0ce8b89bd0d2342115934cf7d862d
SHA256 ada272bac884ac071c1936335bd32ec5f6853cc4eb6f58f5ed36bd0438c35c47
SHA512 e463801843540b6bcee526f8053d1dfbc62bdf7a1b27c4238852aad2f8e41161f38c6ab4d85a7bccf1e0cf0525ea83201547b23f4a2d977d557d2203d5471104

memory/3708-590-0x0000000000230000-0x0000000000238000-memory.dmp

memory/1220-594-0x0000000010000000-0x00000000101C8000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\secman.dll

MD5 085d87f49daf13496e0e018c4008fae6
SHA1 4b0c3058b8ace7e8242c941b449daa968f5b45c7
SHA256 d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15
SHA512 52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

C:\Program Files (x86)\FileCenter\Main\VSTwain.dll

MD5 13f5f7e228ce2b8a3a41dbad4e451279
SHA1 1b3837572602b2620b75bf2ad2aeab89a64f5287
SHA256 11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292
SHA512 24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll

MD5 67ce59f916d43a646960d2bca8ecf3be
SHA1 b54acb22683a011638c51255af34754c6b3c7c34
SHA256 dcc2a49afbdf1c9b0cc508fd1fb3279199d3dd539c4a975c210f8e3391ffe3a7
SHA512 0b68e10890516cab69158deef51fc380dbb2a8bc46e03c68cf9bf44527382111ad79956caa44386345070c35e04918d3c41c1cbb65fa2951d6b6f2525dbbd3fe

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini

MD5 70da425f8aac14b1484047edb83e60e8
SHA1 69d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256 258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512 a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

memory/4932-601-0x0000000000A70000-0x0000000000A82000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll

MD5 925b98fec7a03a47f4798169f9bf6ced
SHA1 45eb030dd64ddfa03297f11721437094d6622dd3
SHA256 0a726fb5a10885eeaabc7321970d90d36d1ab03d83258f2b21f0a511d143ecb0
SHA512 ecfd01f15e8b57d9f44ee1eea311a3f9b7d825175f3cffb9b66e7ffce7da0cd2e0acb444cacdf77a4b552ab67900f1e87cb0f8aca0aa8eac295fa79a5cb1d6ef

memory/4932-605-0x0000000007190000-0x0000000008CF0000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

MD5 35b40b21383ac38487ceec8ab6e53565
SHA1 59894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256 caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA512 3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

memory/4932-609-0x0000000005D50000-0x00000000062F6000-memory.dmp

memory/4932-614-0x00000000058B0000-0x0000000005942000-memory.dmp

C:\Windows\Temp\{E19D9779-2F5A-4C38-8F9C-6B2CD35F9C01}\.cr\vc_redist.x86.exe

MD5 86123c033231dd7e427d619ddeefd26a
SHA1 608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256 d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512 ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

C:\Windows\Temp\{6AEEF0E8-D940-4A7D-82C9-416FCA898CD6}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{6AEEF0E8-D940-4A7D-82C9-416FCA898CD6}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

MD5 26be6baab6fb50dfe1fea06047506e44
SHA1 636ea999d9df27e4869740219653f405d1a1ab41
SHA256 38c57947b6e6935d88f8c6ee39fb254b60897e98d5de2b1497ba719a17970d7d
SHA512 d12139b81d86ad1977e8cb3d87d90491785c5ca4856415a8fd0ff38dfbfb8005a2d3be3fc8aa95b3d3a52cd21abb2cb3bf26e518a24d4312c7ed2c339e8da44e

memory/4932-698-0x0000000006920000-0x0000000006F38000-memory.dmp

C:\ProgramData\FileCenter\Config.ini

MD5 b2ad8f8dcc45644ea167317d050faac4
SHA1 215091d6ad9d4f210b85e675b17c60a7300ca9b1
SHA256 9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0
SHA512 528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

memory/4932-704-0x0000000006590000-0x00000000065B2000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlb

MD5 3401c5f86cf245673fe55318d938163d
SHA1 02e9ab13bba347ee26dede59bc935ea16a8946d3
SHA256 b486f87256ae3ac82211fc3883094415d75db8dcaa2e6e387c362f2fcfbc3a50
SHA512 68d9c11cf58f6e597fabf59ca6ec5f7d7a48a3dc9ce19a46e6b97b20857b51df2875a0cab2569e53226e1a1e35116a5e126f724ada5ace8662a9b4d8eeabc3be

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite9.exe

MD5 8c80b491d533a8390ef6bbc8a4608a52
SHA1 6033602b504a3e43dc045b6e44f935e58cebae30
SHA256 3e22eee0ff6387ef536e10d7f0383653accaa71cec95567427b41dd5374b3ad7
SHA512 db9d9b312aab799d64ea338ac85d956ef3ff6e9b8b7153c2c1cea8a602c6750157478059d38fe82e38b07bbeb18b31fb478d281f862f0ee2d2aa965f6c2c9ad3

memory/4864-709-0x0000013A4FA40000-0x0000013A4FA50000-memory.dmp

C:\Windows\Temp\{B3B4A728-ED5F-4A12-988F-FACA6FE38FE9}\.cr\PDFXLite9.exe

MD5 b75d36319717de2fb88f45ff007fca8d
SHA1 b7c79e5c0c2df9917ac086dbc11a8e3c1d8fdd53
SHA256 1a1796cf00874d5447988e71ef66fdab3bbea27e7c0f6326b9545a5363113137
SHA512 092dd3bddec95dd320d124257c3dd23a18dc7f6609cd81891f50dd6a1b7c67837a1c183512d319a3372389807a946aa37bf43dea75ec2fb58beba8b21fae4cb5

memory/4864-715-0x0000013A6BB80000-0x0000013A6D6E0000-memory.dmp

C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.ba\wixstdba.dll

MD5 0ba387d66175c20452de372f8dbb79fe
SHA1 5411d41a7d88291b97fb9573eb6448c72e773b70
SHA256 7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33
SHA512 13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\.ba\logo.png

MD5 04967ef5107480ea36b3e2e97af7eb7a
SHA1 6efdd4484dcfcfd45b3c887c852f0abb1a02a645
SHA256 63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21
SHA512 00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

memory/4864-745-0x0000013A6ABF0000-0x0000013A6AC12000-memory.dmp

C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\PkgLite64

MD5 2886ad1511893e6f33127ce43f996c5d
SHA1 d97b440157d6a064434efb17107c27b088e63119
SHA256 33125f70fd2cb4b7a3647652905f7ab619d83b9500384a1df125a520eb71ebed
SHA512 5f5e2e701cedb2d47d245e6d987a772719bb727105e862834d516bdc09f00d708c54e23bba14271c91c636601d4c04566ba885c47a0cd08b6e327cb9730f020d

C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\cab5DD1590118F3640F385DB3EB2F516E5C

MD5 62982be8404172798c180e9f6fd2302e
SHA1 18af2866e5655dce26f09aba48714e57e9a3b3b5
SHA256 84522651be2b244b53c8cadadb9abb11418c2b4daef42786ab80367f1155e65e
SHA512 3ea5d4aecfe07258da49dd1df4cf175c08e33a509a68743bc18f9c770137c06220808a128d6d3637515ce878e84b66a9b84289b3eb37cf49971ca1d8f4e72b18

C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\cab8D36E281ACA51D7FBE9AB973BE9B36E3

MD5 dff2df55d0d52211bd0e873ae9c3a696
SHA1 49def2f68992d24cfa77002284ca2616726f11a9
SHA256 06a036bc395e12c0121e79017866f0b72fe8db8bc55ce601d898144e3edf55dc
SHA512 ce4e9bcbe90182281694fc0b6256cf51a3a91cbb42ecf16422443a158d77730e809f2e105f20d234d314a32ad6acf6016bb261e55b1ed34ea998f7216ff551a2

C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\cab20036D21E40418DD3280D692958B9275

MD5 4510e6c8c033bcf9d0d1b35e0637ea16
SHA1 28e83a26f545f7266697392b4583b734000d4b4a
SHA256 32ce28315c08cc4bdc95d5cc5896c33904faecf10363b94ae5b3b4fc9bcfa9fc
SHA512 021712198f6d56e19f51593e578699544234afe00342efbae1339f209def1d5f890a9d09442f5a09efa001362a99d411d15c4454d47a2570054b5f236c306a5e

C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\cab66549ACD4EE6139A64068CA8626575A9

MD5 55627f00c552a612bedfb69e069e08d2
SHA1 d58519e3ec31c1fa02d46708d434aa1f3bfcfcf2
SHA256 f6dd3050132de914a40625c3ea82b246a1e781f3bcdeecbc4241e017aa38d808
SHA512 5df5493eced3645a118a60534a94139498c2a07f4d8ea7af335d63576efdf0737a65e4c658def80ef8c7d09a87d838b2f101c4eb5c9429dd0cc74f029e174fd3

C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\cab20F2A2993791BDD97B003B5578C7EAC7

MD5 647218104e6cdea409ccdd776c11163c
SHA1 d8424c388557c0ee6a4b1e63f63a26084207fd3c
SHA256 ec4506ba42d24229dc029f855827b8aebf57c9fac80ba42ae33d2bd4c98bd002
SHA512 aced722731da8f22b8794526a490776cf61b5652c15436ca1d5cc6a2bb8f94417908241ccb7fa8b5468cbde18f67652d9e1e4efef26d4820ee553921d95afa67

C:\Windows\Temp\{EC81A707-66A7-4227-9D86-FDC9FF4F7055}\cab293E212B151FCAC5768C99D66AA8D9AE

MD5 394b5546caa92497fba09269acd0582d
SHA1 f71b39be99a319a32dd94d85e1d9fac021a7c670
SHA256 5b6baae7cef642f2d77f13e8335f4486dbb50f22f382fe915864a0cce2d4d22b
SHA512 f45ba65fedb2e46b6748b996d82a64534437935eae7c00f37468a9d23c7a3e5c3190e3f3208963ad39f9e416861999f1fb534f0cdead4834ab9aad851fd432f8

C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txt

MD5 d4c4c041dd1517d58bd237dcb3e4b688
SHA1 ef049ca88c6ac44477d27a26ebe002fe02ddaf4d
SHA256 48fa9fadc4bcf7ac29b2af6da59c945286436172af2509be81049df351cccc2d
SHA512 0d3c56d9bf2fa071046f2a532e7de2f4da1114b12051372994ba1fe8379264625b3ebbbbd211ed2cd4c6faf68ab75b217a2a488da1f60ac1ff1e629832fa592b

C:\Windows\Installer\MSI9CF3.tmp

MD5 6222d3af4c822d424a867862e8bef079
SHA1 b1b064ddd5f97c42fd7ce876eb4834d6940c8798
SHA256 63d4a615e2eb7796628fff89aefc97e8d1bdc5f190bd54326638f5d1fa55a830
SHA512 1499c2df773262182415570890aaa96b99fff0090a9932cf11686f4871e1792fe9f0601416ee53a5c86a7b4e1cd376fae04348f0b4e7597ef1a8a13139306691

C:\Users\Admin\AppData\Local\Temp\prnInstaller.log

MD5 03117cba865a9440a3f4fc88147c3902
SHA1 6546c1b7b80ec696394cb13c12a6511f090f157f
SHA256 fd05547cc7166ffb374e079f99013af0b12e3304593f1c789236ed06e7b10a9d
SHA512 b4a0006553b0c47667e2854e1ec78f544e49cb568999092fe9484bcb75c758c3915b231855b1f66a26c63a4346100f61d10ff8d005ac44881ec104beaa48c548

C:\Users\Admin\AppData\Local\Temp\prnInstaller.log

MD5 aa3e0f233f926624ca5832985d0e024f
SHA1 3ebe78b489063c5745edaaf19bca7f11d011ff31
SHA256 956b2127c19860ce7d1965e08bc7f4e61f428c979a1e3ba6692f33b8b924b34d
SHA512 18d7d12d6cbd4b015963dfd3c3340fdbfa664be3051070e45e01f5f0db8cd2d4c1b6d9531bc0837d04bd1238a8952a641169f3bb14f0fd4323354a685bc1fe62

C:\Config.Msi\e5c999b.rbs

MD5 fbbdcd021d0e077908fbfc3ede88f3ed
SHA1 5a0e1b2e354366560c1a41f722eb516b2fb7e54f
SHA256 73fd468741a4ff2e0ca6ab733beb02b550ebfcf9f3d1e4ccff83b2592c3322f4
SHA512 c8838c14816cb152e0223f29434a3bcf233a328318858d138053ec37e75a10898bfc3bbd9471bd0fa4f04ab690baa4731f8fead3b680ce38596e437a0bce8716

C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll

MD5 2fbf69d014ae135d473ec8243d44be9e
SHA1 2c28d3b23d8ff061ae554ccd92aec93900e3cb2b
SHA256 6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3
SHA512 530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

memory/1200-1061-0x0000000000400000-0x000000000071A000-memory.dmp