vidar | df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9

Resubmissions

25-06-2024 14:19

240625-rm6bxsvdkb 6

21-06-2024 15:11

240621-sknjrsygjm 6

17-06-2024 17:09

240617-vn6wmawhlb 10

14-06-2024 13:23

240614-qmxjcawdmm 10

Analysis

max time kernel
84s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
17-06-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FileCenterSetup12.0.16.0.exe
Size

300.4MB
MD5

123556b83a3dad2f59e76602768e9536
SHA1

b402ded286fff73aaf9b32f075bc32029da6d461
SHA256

df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9
SHA512

bc8dc366b404756a55ab40b66bbcccc8d8b366b0f34938c14324d994118602f0be876eaa61234c18eef7ae4e797789da8dd996f023f0f67c0e053e8022dd3506
SSDEEP

6291456:f7u0oceu41pUlsFqvFyeGCIOo7qgB5Fapf5NN9nAug:T9r4vXi5IOyJmfAx

Score

10^/10

vidar discovery persistence stealer

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FileCenterSetup12.0.16.0.tmpPDFXLite10.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe"	FileCenterSetup12.0.16.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe"	FileCenterSetup12.0.16.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{3780ab31-c524-4f3b-a4db-79d692700a62} = "\"C:\\ProgramData\\Package Cache\\{3780ab31-c524-4f3b-a4db-79d692700a62}\\PDFXLite10.exe\" /burn.runonce"	PDFXLite10.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

22 4904 msiexec.exe
23 4904 msiexec.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

MsiExec.exe

description ioc process

File opened for modification C:\Users\Public\Desktop\desktop.ini MsiExec.exe

flow	pid	process
22	4904	msiexec.exe
23	4904	msiexec.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 9 IoCs

Processes:

PrnInstaller.exeprninstaller.exe

description	ioc	process
File created	C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll	PrnInstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml	PrnInstaller.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll	PrnInstaller.exe
File created	C:\Windows\system32\pxc50pm.dll	prninstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL	prninstaller.exe
File created	C:\Windows\system32\pxcpmL.dll	PrnInstaller.exe
File opened for modification	C:\Windows\system32\pxcpmL.dll	PrnInstaller.exe
File opened for modification	C:\Windows\system32\pxc50pm.dll	prninstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL	prninstaller.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpmsiexec.exePDFX5SA_sm.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterAutomate.exe	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Tips\is-S3UTN.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-TC5OQ.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.it-IT.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.ko-KR.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.ru-RU.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsbarcodeevoi.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\VSTwain.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\EZT4Curl.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-6FPM2.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-56KAV.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.de-DE.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\is-N9OF5.tmp	PDFX5SA_sm.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrspng15.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-ME9QM.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-ACB01.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-S6SOH.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-GRA19.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-M3AON.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-DDUML.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-0IQOA.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.ar-SA.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\is-GDHE9.tmp	PDFX5SA_sm.tmp
File created	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\is-ISGHE.tmp	PDFX5SA_sm.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\dten600.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Tips\is-BC7DU.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-IDRRE.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.sl-SI.xcl	msiexec.exe
File created	C:\Program Files\Tracker Software\Vault\XCVault.exe	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.ca-ES.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\ISYS11df.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\secman64.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-9N0N2.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.es-ES.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.hr-HR.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\PrnInstaller.exe	PDFX5SA_sm.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Samples\is-BNQI6.tmp	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.barcode.1d.reader.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-64HKO.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.es-ES.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.sw-KE.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Main\Tips\is-PVLT3.tmp	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll	PDFX5SA_sm.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Tips\is-B894J.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-34TA8.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-SAJMQ.tmp	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Help\fc-receipts.chm	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsdmtxbarcodewrapper15.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-8IIT7.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-8AQTF.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-PDRLI.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-LHDKH.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-UHALA.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.nl-NL.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.it-IT.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.lt-LT.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\FowpKbd.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-MNH15.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-BFJJJ.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.pt-PT.xcl	msiexec.exe
File created	C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\x86\pxcdrvL.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsprepro15.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineSI.exe	FileCenterSetup12.0.16.0.tmp

Drops file in Windows directory 24 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI5650.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFFB55466E920F8FB0.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5506.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5437.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54D6.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}	msiexec.exe
File created	C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI53F7.tmp	msiexec.exe
File created	C:\Windows\Installer\e585032.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF054A37D9107D8A9A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C5D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AB6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58502e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5438.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF89695EB81DCEBB25.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CAC.tmp	msiexec.exe
File created	C:\Windows\Installer\e58502e.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF064DF0761007DD87.TMP	msiexec.exe

Executes dropped EXE 27 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeGdPictureComReg.exevc_redist.x86.exevc_redist.x86.exeFileCenterAutomateService.exeFileCenterUtils.exePDFXLite10.exePDFXLite10.exePDFXLite10.exePrnInstaller.exepdfSaverL.exepdfSaverL.exeFileCenterUtils.exePDFX5SA_sm.exePDFX5SA_sm.tmpprninstaller.exepdfSaver5.exeXCVault.exeFileCenter.exepdfSaverL.exepdfSaverL.exe

pid	process
4664	FileCenterSetup12.0.16.0.tmp
3672	FileCenterUtils.exe
5056	FileCenterUtils.exe
3188	FileCenterUtils.exe
4736	FileCenterUtils.exe
2648	FileCenterUtils.exe
4136	GdPictureComReg.exe
2708	vc_redist.x86.exe
3088	vc_redist.x86.exe
1532	FileCenterAutomateService.exe
2552	FileCenterUtils.exe
5088	PDFXLite10.exe
1596	PDFXLite10.exe
3068	PDFXLite10.exe
1032	PrnInstaller.exe
2120
1688	pdfSaverL.exe
5084	pdfSaverL.exe
1220	FileCenterUtils.exe
1908	PDFX5SA_sm.exe
1380	PDFX5SA_sm.tmp
3104	prninstaller.exe
3448	pdfSaver5.exe
5064	XCVault.exe
4480	FileCenter.exe
1844	pdfSaverL.exe
1900	pdfSaverL.exe

Loads dropped DLL 31 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregasm.exevc_redist.x86.exePDFXLite10.exeMsiExec.exeMsiExec.exePDFX5SA_sm.tmpFileCenter.exe

pid	process
700	regsvr32.exe
4864	regsvr32.exe
904	regsvr32.exe
1384	regsvr32.exe
4888	regsvr32.exe
1992	regsvr32.exe
1992	regsvr32.exe
1992	regsvr32.exe
3576	regasm.exe
3576	regasm.exe
3576	regasm.exe
3576	regasm.exe
3088	vc_redist.x86.exe
1596	PDFXLite10.exe
2648	MsiExec.exe
2648	MsiExec.exe
2648	MsiExec.exe
2648	MsiExec.exe
2648	MsiExec.exe
2648	MsiExec.exe
2648	MsiExec.exe
3088	MsiExec.exe
3088	MsiExec.exe
2648	MsiExec.exe
1380	PDFX5SA_sm.tmp
2120
2120
4480	FileCenter.exe
4480	FileCenter.exe
4480	FileCenter.exe
4480	FileCenter.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regasm.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\Class = "GdPicture14.AnnotationManager"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\14.2.69.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\Class = "GdPicture14.GdViewer"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\Class = "GdPicture14.PDFReducerConfiguration"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.69.0\Class = "GdPicture14.LicenseManager"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.2.69.0	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\ThreadingModel = "Both"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.2.69.0\Class = "GdPicture14.AnnotationManager"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\Class = "GdPicture14.GdPictureDocumentConverter"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\Class = "GdPicture14.ThumbnailEx"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.2.69.0\Class = "GdPicture14.GdPictureImaging"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\Class = "GdPicture14.BookmarksTree"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.2.69.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.2.69.0\Class = "GdPicture14.GdPictureSegmenter"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\ThreadingModel = "Both"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.69.0	regasm.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\WOW6432Node\CLSID\{021BDF87-EEFB-4384-9183-F8170E3DC459}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\Class = "GdPicture14.GdPictureDocumentUtilities"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0\Class = "GdPicture14.GdViewer"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\ = "C:\\Windows\\system32\\mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\Class = "GdPicture14.GdPictureImaging"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\ = "mscoree.dll"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.69.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D}\InprocServer32\Class = "GdPicture14.Imaging.GdPictureRectangleF"	regasm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ee7f732e8cf5793f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ee7f732e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ee7f732e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dee7f732e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ee7f732e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Kills process with taskkill 27 IoCs

evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exe

pid	process
2548	TASKKILL.exe
580	TASKKILL.exe
5088	TASKKILL.exe
1132	TASKKILL.exe
864	TASKKILL.exe
4984	TASKKILL.exe
4964	TASKKILL.exe
904	TASKKILL.exe
928	TASKKILL.exe
2928	TASKKILL.exe
2836	TASKKILL.exe
4872	TASKKILL.exe
4688	TASKKILL.exe
4172	TASKKILL.exe
2188	TASKKILL.exe
2500	TASKKILL.exe
3288	TASKKILL.exe
1360	TASKKILL.exe
3284	TASKKILL.exe
4200	TASKKILL.exe
788	TASKKILL.exe
3076	TASKKILL.exe
1672	TASKKILL.exe
3508	TASKKILL.exe
3460	TASKKILL.exe
1836	TASKKILL.exe
1776	TASKKILL.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

PDFX5SA_sm.tmpmsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\"	PDFX5SA_sm.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3"	PDFX5SA_sm.tmp
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}	PDFX5SA_sm.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe"	PDFX5SA_sm.tmp

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregasm.exeregasm.exeregsvr32.exeregsvr32.exepdfSaver5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{816CDC47-C3A9-4671-A17C-790D90CD38E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D9725FB-C4AE-3241-87C2-74EB5AEF08C5}\ProxyStubClsid32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1B4807E-65DB-4FE7-88FE-DB703CF57807}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{579D24AF-3D4A-37C4-83F9-4425875420C6}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFE955F3-4ADE-4C79-B40A-8DD1955A328F}\ = "IScopeTable"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CCBAA52-8111-4806-B7EA-E0672F8382CD}\ = "IUIX_IndexNavigator"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{107507E4-8258-4E89-9167-CADCD46059BB}\TypeLib\Version = "e.2"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{757D1792-2ABC-3FDB-8D16-FB2D4CFD8C57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFXEdit.PXV_Control\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1CB9426-FA08-4829-8470-C8C7FF7F7A00}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75738A39-DE0A-3278-A2A6-44414D88375A}\ProxyStubClsid32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BB55E4-30AD-3EE8-A1F7-58A9B4A6F59D}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F437265A-6A1D-3D0B-BAD6-927B3FBD1870}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C341E89-9DC0-4DDA-94D1-BE06A410FC14}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1F453A2D-3447-3EA2-8BF2-72D23DBE1763}\14.2.69.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{999A6C12-A602-4601-9866-0B9AE973B7F2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB7399B9-914D-3C44-92A1-D3D8E9E0E0B7}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{98A91833-FF3A-34C5-8687-A7D4FBCD758C}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{697DF02C-B24E-11D3-B57C-00105AA461D0}\ = "IWordListBuilder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0AAB4D6-161B-4ED0-8BA2-BDD15BF79C47}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27F3CABC-31C1-4B29-A782-B68D4F4EA61A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3032FD95-B715-3197-9D59-72A49D4406CC}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A967E5D1-B0E1-11D3-B57C-00105AA461D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4F44B54-E71F-41F9-95E7-401437931922}\ = "IUIX_ObjImpl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F605-B8D3-4478-BDBA-7021069C464F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A018E70A-4E56-44ED-8E14-BB82ED650C38}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF79EF22-544F-4E0B-8557-57A7950A507C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BB55E4-30AD-3EE8-A1F7-58A9B4A6F59D}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{728DE4F5-1EC1-36CD-A66A-2A879E0CD577}\ = "_AnnotationPolygon"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21934FDF-3C12-386C-AF83-930445E4BF5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4C199F2-0F2A-4E4A-80C9-F5B36D96F527}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD7FAFAA-9748-4CFC-B134-D3B2CA96B4F8}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CB6A5453-A446-37E7-94AA-69FFAA6BAEF8}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74CB8E24-D85D-4A6D-BE72-AF57F21A1034}\ = "IPXV_OpenFilesDlgRes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8934FF21-97DD-3A3A-A58D-327BAA701B1E}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{770AC2F7-EEDB-3BD2-929D-A31F37ECA030}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD3E64CE-677F-4A57-89A3-08250712CCF2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D0BCE7AC-1387-4C70-9184-912EB94AE3ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{14587E1E-35FA-4716-AE19-A18E355EFA17}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{09EA520D-7D38-4CB7-A9A4-75D3091D1886}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8E2CC9E0-0E1D-3BB4-978C-49CB86E5389F}\14.2.69.0	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8EEA099A-C845-39D0-855A-48DDD6387A2C}\14.2.69.0	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE4EB426-7321-3D5B-A255-694F9D887551}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E09B1C3C-4818-319E-8C07-BCEAB34C5DF6}\ProxyStubClsid32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5CABA2F-B413-4C6F-94B6-0B573AFD07EB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\ = "mscoree.dll"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB2B171B-0765-3453-975D-05DDFAC1DACA}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B6910CD2-DD1E-3C78-BE53-5F96E5EF96BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FBA9A67E-B04B-344A-87F1-EEA9EBDBB4A9}\14.2.69.0\Class = "GdPicture14.ViewerDocumentPosition"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24DFB749-780D-41B4-9BE3-8894D202B944}\Programmable	pdfSaver5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{419BF6AA-AA35-3FBC-B01B-554F71547437}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3BBC168-3896-467E-9C5D-D46845C0E25E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE52AAD-8807-46DA-8EF6-C20E2E8AEF2D}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1491043E-1B4D-489D-BED8-B9E2E7598289}\TypeLib\Version = "e.2"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F6F77C6-6570-3583-B9E4-95C1551B0455}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A423192-ADF5-313F-A768-6FCD2AA5192D}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A967E5D2-B0E1-11D3-B57C-00105AA461D0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63375FB3-4F89-42F0-8090-209E954EBA1A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C6E22F-8BE0-454F-9BEB-0AA6BAD031D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4BB41F56-27B6-359C-9BA5-13E1D21488BF}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B27E7FF-6279-49DA-AE6B-8E13AD665B1F}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

FileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeregsvr32.exeFileCenterAutomateService.exeFileCenterUtils.exemsiexec.exeMsiExec.exeFileCenterUtils.exePDFX5SA_sm.tmpFileCenter.exe

pid	process
3672	FileCenterUtils.exe
3672	FileCenterUtils.exe
5056	FileCenterUtils.exe
5056	FileCenterUtils.exe
3188	FileCenterUtils.exe
3188	FileCenterUtils.exe
4664	FileCenterSetup12.0.16.0.tmp
4664	FileCenterSetup12.0.16.0.tmp
4736	FileCenterUtils.exe
4736	FileCenterUtils.exe
2648	FileCenterUtils.exe
2648	FileCenterUtils.exe
1992	regsvr32.exe
1992	regsvr32.exe
1532	FileCenterAutomateService.exe
1532	FileCenterAutomateService.exe
2552	FileCenterUtils.exe
2552	FileCenterUtils.exe
4904	msiexec.exe
4904	msiexec.exe
2648	MsiExec.exe
2648	MsiExec.exe
1220	FileCenterUtils.exe
1220	FileCenterUtils.exe
1380	PDFX5SA_sm.tmp
1380	PDFX5SA_sm.tmp
4480	FileCenter.exe
4480	FileCenter.exe

Suspicious behavior: SetClipboardViewer 3 IoCs

Processes:

FileCenter.exe

pid process

4480 FileCenter.exe
4480 FileCenter.exe
4480 FileCenter.exe

pid	process
4480	FileCenter.exe
4480	FileCenter.exe
4480	FileCenter.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4964	TASKKILL.exe
Token: SeDebugPrivilege	2188	TASKKILL.exe
Token: SeDebugPrivilege	3460	TASKKILL.exe
Token: SeDebugPrivilege	1672	TASKKILL.exe
Token: SeDebugPrivilege	4172	TASKKILL.exe
Token: SeDebugPrivilege	1132	TASKKILL.exe
Token: SeDebugPrivilege	5088	TASKKILL.exe
Token: SeDebugPrivilege	1360	TASKKILL.exe
Token: SeDebugPrivilege	3076	TASKKILL.exe
Token: SeDebugPrivilege	1836	TASKKILL.exe
Token: SeDebugPrivilege	2928	TASKKILL.exe
Token: SeDebugPrivilege	788	TASKKILL.exe
Token: SeDebugPrivilege	2500	TASKKILL.exe
Token: SeDebugPrivilege	904	TASKKILL.exe
Token: SeBackupPrivilege	1352	vssvc.exe
Token: SeRestorePrivilege	1352	vssvc.exe
Token: SeAuditPrivilege	1352	vssvc.exe
Token: SeShutdownPrivilege	3068	PDFXLite10.exe
Token: SeIncreaseQuotaPrivilege	3068	PDFXLite10.exe
Token: SeSecurityPrivilege	4904	msiexec.exe
Token: SeCreateTokenPrivilege	3068	PDFXLite10.exe
Token: SeAssignPrimaryTokenPrivilege	3068	PDFXLite10.exe
Token: SeLockMemoryPrivilege	3068	PDFXLite10.exe
Token: SeIncreaseQuotaPrivilege	3068	PDFXLite10.exe
Token: SeMachineAccountPrivilege	3068	PDFXLite10.exe
Token: SeTcbPrivilege	3068	PDFXLite10.exe
Token: SeSecurityPrivilege	3068	PDFXLite10.exe
Token: SeTakeOwnershipPrivilege	3068	PDFXLite10.exe
Token: SeLoadDriverPrivilege	3068	PDFXLite10.exe
Token: SeSystemProfilePrivilege	3068	PDFXLite10.exe
Token: SeSystemtimePrivilege	3068	PDFXLite10.exe
Token: SeProfSingleProcessPrivilege	3068	PDFXLite10.exe
Token: SeIncBasePriorityPrivilege	3068	PDFXLite10.exe
Token: SeCreatePagefilePrivilege	3068	PDFXLite10.exe
Token: SeCreatePermanentPrivilege	3068	PDFXLite10.exe
Token: SeBackupPrivilege	3068	PDFXLite10.exe
Token: SeRestorePrivilege	3068	PDFXLite10.exe
Token: SeShutdownPrivilege	3068	PDFXLite10.exe
Token: SeDebugPrivilege	3068	PDFXLite10.exe
Token: SeAuditPrivilege	3068	PDFXLite10.exe
Token: SeSystemEnvironmentPrivilege	3068	PDFXLite10.exe
Token: SeChangeNotifyPrivilege	3068	PDFXLite10.exe
Token: SeRemoteShutdownPrivilege	3068	PDFXLite10.exe
Token: SeUndockPrivilege	3068	PDFXLite10.exe
Token: SeSyncAgentPrivilege	3068	PDFXLite10.exe
Token: SeEnableDelegationPrivilege	3068	PDFXLite10.exe
Token: SeManageVolumePrivilege	3068	PDFXLite10.exe
Token: SeImpersonatePrivilege	3068	PDFXLite10.exe
Token: SeCreateGlobalPrivilege	3068	PDFXLite10.exe
Token: SeRestorePrivilege	4904	msiexec.exe
Token: SeTakeOwnershipPrivilege	4904	msiexec.exe
Token: SeBackupPrivilege	2456	srtasks.exe
Token: SeRestorePrivilege	2456	srtasks.exe
Token: SeSecurityPrivilege	2456	srtasks.exe
Token: SeTakeOwnershipPrivilege	2456	srtasks.exe
Token: SeBackupPrivilege	2456	srtasks.exe
Token: SeRestorePrivilege	2456	srtasks.exe
Token: SeSecurityPrivilege	2456	srtasks.exe
Token: SeTakeOwnershipPrivilege	2456	srtasks.exe
Token: SeRestorePrivilege	4904	msiexec.exe
Token: SeTakeOwnershipPrivilege	4904	msiexec.exe
Token: SeRestorePrivilege	4904	msiexec.exe
Token: SeTakeOwnershipPrivilege	4904	msiexec.exe
Token: SeRestorePrivilege	4904	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpPDFX5SA_sm.tmp

pid process

4664 FileCenterSetup12.0.16.0.tmp
1380 PDFX5SA_sm.tmp
1380 PDFX5SA_sm.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

FileCenter.exe

pid process

4480 FileCenter.exe
4480 FileCenter.exe
4480 FileCenter.exe

pid	process
4480	FileCenter.exe
4480	FileCenter.exe
4480	FileCenter.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FileCenterSetup12.0.16.0.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exe

description	pid	process	target process
PID 4788 wrote to memory of 4664	4788	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 4788 wrote to memory of 4664	4788	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 4788 wrote to memory of 4664	4788	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 4664 wrote to memory of 3672	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 3672	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 3672	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 5056	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 5056	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 5056	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 3188	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 3188	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 3188	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 3188 wrote to memory of 5088	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 5088	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 5088	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 4172	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 4172	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 4172	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 1132	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 1132	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 1132	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 3460	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 3460	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 3460	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 1672	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 1672	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 1672	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 4964	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 4964	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 4964	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 2188	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 2188	3188	FileCenterUtils.exe	TASKKILL.exe
PID 3188 wrote to memory of 2188	3188	FileCenterUtils.exe	TASKKILL.exe
PID 4664 wrote to memory of 4736	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 4736	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 4736	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4736 wrote to memory of 3076	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 3076	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 3076	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 1360	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 1360	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 1360	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 1836	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 1836	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 1836	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 2928	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 2928	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 2928	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 2500	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 2500	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 2500	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 788	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 788	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 788	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 904	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 904	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4736 wrote to memory of 904	4736	FileCenterUtils.exe	TASKKILL.exe
PID 4664 wrote to memory of 2648	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 2648	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4664 wrote to memory of 2648	4664	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2648 wrote to memory of 4864	2648	FileCenterUtils.exe	regsvr32.exe
PID 2648 wrote to memory of 4864	2648	FileCenterUtils.exe	regsvr32.exe
PID 2648 wrote to memory of 4864	2648	FileCenterUtils.exe	regsvr32.exe
PID 2648 wrote to memory of 4136	2648	FileCenterUtils.exe	GdPictureComReg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$30232,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtilsInfo.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3672

C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtilsInfo.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5056

C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe" -CLOSEALL
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterPortal.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReceipts.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReports.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe" -INSTBEG
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterPortal.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReceipts.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReports.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:4864

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe
"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent
4⤵
- Executes dropped EXE
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb
5⤵
- Loads dropped DLL
- Modifies registry class
PID:3576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:4964

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:700

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:904

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"
4⤵
- Loads dropped DLL
PID:1384

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"
4⤵
- Loads dropped DLL
PID:4888

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe
"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart
4⤵
- Executes dropped EXE
PID:2708

C:\Windows\Temp\{0727E68B-DDD0-4626-ADC7-D1F740BD2D8A}\.cr\vc_redist.x86.exe
"C:\Windows\Temp\{0727E68B-DDD0-4626-ADC7-D1F740BD2D8A}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /install /quiet /norestart
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3088

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"
4⤵
- Executes dropped EXE
PID:5088

C:\Windows\Temp\{165396C3-214E-4707-86BE-E7AC05A6C242}\.cr\PDFXLite10.exe
"C:\Windows\Temp\{165396C3-214E-4707-86BE-E7AC05A6C242}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=728 -burn.filehandle.self=556 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe
"C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{B8D66ED0-C35F-4C28-962A-9CD937E39C36} {C0094944-0F1D-4E8D-ABBF-746FFC0FD310} 1596
6⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"
4⤵
- Executes dropped EXE
PID:1688

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"
4⤵
- Executes dropped EXE
PID:5084

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"
4⤵
- Executes dropped EXE
PID:1908

C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp" /SL5="$80248,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"
5⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1380

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "
6⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:3104

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer
6⤵
- Executes dropped EXE
- Modifies registry class
PID:3448

C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe
"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install
6⤵
- Executes dropped EXE
PID:5064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 6CE7BD2C2B51D99BA20D5947E6279BC7
2⤵
- Drops desktop.ini file(s)
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding B56DEC7FA55129A3BE48A99DFC97BF93 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:3088

C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"
2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:1032

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"
2⤵
- Executes dropped EXE
PID:1844

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"
2⤵
- Executes dropped EXE
PID:1900

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:864

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3508

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3284

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2836

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -OLOFF
2⤵
PID:4488

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
2⤵
- Kills process with taskkill
PID:4872

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
2⤵
- Kills process with taskkill
PID:4984

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"
2⤵
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.filecenter.com/action.php?Action=Welcome&Refresh=1&ProductKey=&KeyID=-1&PTID=1&SourceID=-1&CustomID=-1&VerID=-1&PartnerID=0&WelcomeID=0&Version=12.0.16.0&CN=NIOJEVYY&UN=Admin&Trial=0&DaysLeft=0&s=&cnt1=&cnt2=&cnt3=&cnt4=&cnt5=&cnt6=&cnt7=&cnt8=&cnt9=&x=1235
2⤵
PID:788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8e2993cb8,0x7ff8e2993cc8,0x7ff8e2993cd8
3⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
3⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
3⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 /prefetch:8
3⤵
PID:2876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
3⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
3⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
3⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4724 /prefetch:8
3⤵
PID:4776

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:4200

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3288

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2548

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1776

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:928

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"
2⤵
PID:4644

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:4688

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
2⤵
- Kills process with taskkill
PID:580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3256

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D4
1⤵
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585031.rbs
Filesize
35KB

MD5
21da4d9c87f48fa47eca58790b1d0cf4

SHA1
00f46adb4812823d4660b620f8683d23c2750b46

SHA256
72c367be5d9839e40234c986c9930634cd7026c57a9df3aa35a4f6239b073564

SHA512
8a071817e28c5b99ff61640d08a130a246e3ace37329318d7ff594d9e2343c657e58939108b16568f0732047f187e2e2d2707e54fb5dc519436c5745b7d0eca1

Download Submit
C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll
Filesize
593KB

MD5
2fbf69d014ae135d473ec8243d44be9e

SHA1
2c28d3b23d8ff061ae554ccd92aec93900e3cb2b

SHA256
6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3

SHA512
530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

Download Submit
C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe
Filesize
40.5MB

MD5
4c61ee01d5b84db67c38c10d3f210f39

SHA1
844eab66505dc4eb88dec70c3f20307365c350ac

SHA256
a7e10bda5cb2e1c347b2ee682385fd56ff5da05c659c665abc0b526f639a5583

SHA512
a44a2bd871c9f0f654b0e627accc9d4388390e5e5b7326a3372a103886d74b89ab78e235e1b986da9acf0f08fdf45b642ec26000bbe32de92a44b1978f4c2f80

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenter.exe
Filesize
20.1MB

MD5
879d5b401a73cc57a3166ba01ce70c60

SHA1
ee8b47af48514a3b65f4ee838c95e7a3a64d3434

SHA256
82da544c9d730c17c34a253c29fd7d621e8cdc064e0220c27e43bb0dd60c4ebe

SHA512
6e49343acca8ab878b4cf9e12ce4d796decd7f44c7068f8d90f5ad2eebbab31c15c82bbf66bcb571120a9bf8e375055558308d00b66053591c6ec94fb514b3b6

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll
Filesize
13.0MB

MD5
2b9bbd88d6b6a3b7c417cbb0eae69bf4

SHA1
c43ab9fa5c1085ba21280d143f8b8322d6a93883

SHA256
1e5f8dbd4c08faf3a0a84b6af17454d9d21459618b411696b9604af80ee9fc0f

SHA512
f07ae3e76066960a3b657146b83da724ca13873edd82d7314d048593c3e6021ced3297459d46a30daf95189631bfd4c941e44d91433549dcc70efb5407543a30

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini
Filesize
27B

MD5
70da425f8aac14b1484047edb83e60e8

SHA1
69d09199af5a5ba4ed4e1d59432fec784d5271e4

SHA256
258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f

SHA512
a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe
Filesize
7.7MB

MD5
42d9ffbb0b7ef3cbdeb0c005619b12fb

SHA1
fbaed95c25aa26c43121e8421b5154e9e5dcdca0

SHA256
59e5b75c18c82acf2d94a1fd9b0a67af6795d594e1f837df1a80eec66671d307

SHA512
c77b91ca41b13bb471ced5346f998805430a33e210c09c0d7e0b0a7573d9e95da1bc5e351df08c871e1c3e962b3ec4b9fdb5ef5cc806fd87ef42f50ddd99d7cb

Download Submit
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll
Filesize
36.9MB

MD5
d9806fd0eeafd9f89e0473ad52889283

SHA1
d6fca558897aaa6703129557e2d02b1a84765dcb

SHA256
aa2aafe588aecd1a10bf05dcd675143061a55bcd5bc83bd749bde7b85d21dbc6

SHA512
796c609dc6fa4c6fe1e6909ae3a4a22cc06c900f34b999d77a9805767f69f1b1d96a99e9ee03ad6ab68e7f6bb5fa3269c1d73db4af68a2834bfd5cbf2fe91422

Download Submit
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlb
Filesize
326KB

MD5
76f44f45f04429fe796e911a8ef10f75

SHA1
ec666fb9af1d5ecef931e46548a5d2a24cdf0d6c

SHA256
1b717bfff1990c07e95c8cfe53cda81e2fe9289d873a2e3230466304d5f2732b

SHA512
8f3cb705bd478af7ba1bc4a055ae7afa42c3bf740e16e6f8315e7794d77557562a79af6d32600b9702550388402063fecdebc9c17d41330dfff84f918c126415

Download Submit
C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe
Filesize
21KB

MD5
b9718823c993fccb6352cc0210993569

SHA1
4d551f7cafd0040ff9657ca644c1365f3e7847ae

SHA256
a173ba320929c93b9bf41186a0692d753da812b8691dcc416c16abdf004dbf89

SHA512
6e513ef7535539cff90e88b95c5f57bb9e262cebbf1e51bc8268595347fbf06f628cf16eaa974d7eccd2a285ff2f8f56867c4292c1fe4fb7b0ee90f5acee9747

Download Submit
C:\Program Files (x86)\FileCenter\Main\VSTwain.dll
Filesize
573KB

MD5
13f5f7e228ce2b8a3a41dbad4e451279

SHA1
1b3837572602b2620b75bf2ad2aeab89a64f5287

SHA256
11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292

SHA512
24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

Download Submit
C:\Program Files (x86)\FileCenter\Main\dten600.dll
Filesize
7.7MB

MD5
22cf875a0cf0ad89f5f7d7ac6628a598

SHA1
c2a9620579a08d6a91557e6cb8f1d2585392d30d

SHA256
11ef1b8791cfd8fee0923ec685ae1d29485349ce7d2d37a15ae1615e8d646baf

SHA512
3b59898730a9eb4a8f4347b8c854983636b28f6641b072fdd0d7f9190b905fc9b03dcf204154072048dc1a6a24785d2aead865b5bf160c9af9df87cf4175c608

Download Submit
C:\Program Files (x86)\FileCenter\Main\lbvProt.dll
Filesize
532KB

MD5
120387e48d0556538ef3ee68de18a707

SHA1
0633de57f7ef851115be39d407db8e08986b3d93

SHA256
e202172ad8799ee0feee2559ac06f2cf75530f702f7e11d0cb4c1b3ec57eae4e

SHA512
a7509c2822bd7f08b5e67dfbd3d9ac701639599b5681966f5276f51e60608dcd7dafaa953f7589d99de7ba7b68eaa56be0ecb2c074f5c4ba6ba114880507b1da

Download Submit
C:\Program Files (x86)\FileCenter\Main\secman.dll
Filesize
146KB

MD5
085d87f49daf13496e0e018c4008fae6

SHA1
4b0c3058b8ace7e8242c941b449daa968f5b45c7

SHA256
d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15

SHA512
52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

Download Submit
C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe
Filesize
13.6MB

MD5
35b40b21383ac38487ceec8ab6e53565

SHA1
59894bd9c96361b475c3b4b7ca9719c72e813d04

SHA256
caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec

SHA512
3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

Download Submit
C:\ProgramData\FileCenter\Config.ini
Filesize
42B

MD5
4a2b0b2d8d08db9fcc6eae2e25c9b4d1

SHA1
bcbd9242fe7ad0afabb143453d732657cfc79ede

SHA256
70bc9116d9db8cee6aaf87d19d323fc4961f90116b9a61281a981a461505974e

SHA512
5dc550410f15e4f64e637f61d8b6b09024b7502202ddd346463ac05b962d9bd6c3aecce6b85e089ca53184e99753cb2b137fae9ea26334d8044a0266742f6826

Download Submit
C:\ProgramData\FileCenter\Config.ini
Filesize
23B

MD5
b2ad8f8dcc45644ea167317d050faac4

SHA1
215091d6ad9d4f210b85e675b17c60a7300ca9b1

SHA256
9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0

SHA512
528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

Download Submit
C:\ProgramData\FileCenter\Intercepts.ini
Filesize
6KB

MD5
293bfe23c32bd1332e4caf09e9bb347d

SHA1
1777f80e58dcc9b37cf87d73a4680723c7b87461

SHA256
3f6dd37419d2c2075812e0a104d0603d78a5cf1b378154e8d71c30c37de84264

SHA512
0ec00fc8b45d2fa205be404a37546772919f891d439e336dd601c0961355dd9afdbae983c254a9760207ea15b7b446b7b9d90ad93f7b938aeb74e838204be194

Download Submit
C:\ProgramData\FileCenter\Logs\Hooks.txt
Filesize
450B

MD5
5d915d86de8f45dff3d86822bc200396

SHA1
f89c4a29c420a025e0f41926b6bb6fb55cfdb985

SHA256
edc2932a7cf28ed8bdf8fd110a1e684dbad8f245c71ce488458cec0484764a03

SHA512
8c9ffd78c2f87c14a344a5f11447d7ec7056c5253076f12dd7a1dff05f8e0a097c95953316603b065a88018880d4fb3982e7e70f80c2509f80133f8c72f97acb

Download Submit
C:\ProgramData\FileCenter\MRUInbox.ini
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\ProgramData\FileCenter\MyPortal.ini
Filesize
26B

MD5
8af40c2a9db1af603163ed8b0e25a3d0

SHA1
36db1a9baec9e7d6d17073529afff9df063e68d9

SHA256
64b92b073e9519d07676100c694c63207f45b561ce66594b8728eae023ba0705

SHA512
2662a09e1cd148cbb4ee1124e4fdac6561699f447c986992651ff8fb8e7d005803b74ce5c1bb65c6f916ab1407894fabd453735c10378a94d5c918b1fe66688d

Download Submit
C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txt
Filesize
1KB

MD5
0e49fced3f998b2b6e2549c23474409e

SHA1
af9c37e746ffc4eaffcfa267397ebf957f25645f

SHA256
6de4e3a21fbf1fa73b88cb18df6441581db813b9c45f45ecb2da971157071952

SHA512
951df99a644de64c82bd03a3cefb19d137e2a743a82be7b77f6816913ab5429834a1e82736e9f59deba803d8222121102e689741abc12e2e6147560eb703d43d

Download Submit
C:\ProgramData\FileCenter\Settings\POLData_Lock.tmp
Filesize
14B

MD5
724deba0ee02aa7ad576295d784b1230

SHA1
f4f36556c9babc24a278f5f2ddcce4bff6a64bc7

SHA256
a98ebebe7123b54822d1250f6264dd8d971e47d5cc718fac967d2dd2374365ac

SHA512
3855cea9f71c3905baa510a42cf397da2b9f4f27cd071246e72911e646d6f5ba93fb120cb1a2f4d3e6a73d3d5ec40afc6dfbfb9e495e9bb9a2296930b1702239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6486ee9e961a437dadb68ff1544d18a8

SHA1
05f4daccca0bc1ce73fe71ad2325ba5dadd3df25

SHA256
9a98b4686c9e90672a548c873943b3027fb111f7992263111d912318429f5834

SHA512
ee3659f68a46f37f340f98b85a7aa289e700c5ced2a4f0104673bb5f18cc82d1e9b838ec0278407213c6ed2073998e7aad78a7a39390b7e460c8e26dfa91d0e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2dfecbb576ee9795c5284da8a2a3c7f5

SHA1
f1f0a6a97850aca2b4ab267a017564af02f24948

SHA256
dca6901942fa748fc01339192c0738a06847d8497c9c61298f1e5df1f8352fb0

SHA512
d664cc261113427810dd0b2d32763ddd08611a528fe6b285782d6b8ac03304b72a90fe7f3f7142e825ab8d948d5c9cf52f420546f3796b2ac23f3d00f3c17389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
528B

MD5
7ee9d1adfc453746995c91d7816ce842

SHA1
9b8d2cfb4282c6f66f696233e89bcdb4a3f60477

SHA256
41fadce59623a3cea15c50106ed3b6b381cd187af364926e761639c6644d3b72

SHA512
39cb81a0f3eeab411d9ef1b99f87b1e7e4e961646192ba2cd64f6be2f1fc380bb9a4f6ff563c29f2460189ba721a6fdd84215bdc364c815170179c6ca1c9e398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
724b24a771bdf2efae1ed09f73b14edf

SHA1
1c74d239108a3ddabed04b8fece5f5d447e53a17

SHA256
60447a82634af5963fad5d4ac316490a11b33ee44bd68e0d291aa98485de6458

SHA512
3c70718526051f1ec8dda1c55bb5cf37aca4828b21cc9e1f666401c2ed633a09d18b1138005e3f32b989b75c83e236e794767af30d53455ecf8d9fcc140a424d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
25969c0fe6ef456c8cbddb9bfaae7036

SHA1
b2276dc446d857727c87c2fd20a029b8a5b89404

SHA256
f45697b889617f460c06609c8d43efbd601f4e4e1f0bd5242c33995a1a165db9

SHA512
d3bb8119c2148864fedff7d17739354398222c15d828f8f8ad5990e585198174db9ab48b1ec29a1af5fd98bded0d24928da1b01fd1459c33abd7078855d9b995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
2667add663368ba18337ac76cc55aee7

SHA1
f80a109266315132192bf68077690d6a00f98596

SHA256
93de9774842e21fbe51b4c69306c320ba6c1a29986a1a745ad2407e230b62082

SHA512
75ddd04d1756fc2c3e3ea3f2b4d21a6b6b36bb7fc32ca4e6484c1e9daf12e36e1cf173d3615bafd24ef78ac115d74325912de4b6fdc0ea53faa4386a557d66e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
29b63cb2254d2540058586a319391af1

SHA1
df5004084bb3e9bf4b83d26ef7a9b1e165297d3f

SHA256
54995573a9f3f2691dcce4e3e19bacaf4d4f8db30de4409ddb919175ec65c69b

SHA512
3155de2ba5f39ec82523759fba528016999bd879ab9121ceb9edc06032e47e3e082c1bdd2d5902360e4df4563818265605e17219c25449e319049c9e1547551a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp
Filesize
3.0MB

MD5
0acf3c16e6faca9c0aec525f53d03866

SHA1
5c3960b48d2b72ad02e59470d8a7b690ee826f9e

SHA256
2c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151

SHA512
17d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
Filesize
8.7MB

MD5
e9638374a27160513f1a62827b6cf102

SHA1
b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f

SHA256
c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942

SHA512
9632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c

Download Submit
C:\Users\Admin\AppData\Local\Temp\prnInstaller.log
Filesize
727B

MD5
72e72caf6d47cc2b4c99c59a57cbd76a

SHA1
fd33163a3fd40791becb593053dbf99e24f79cda

SHA256
bca501c08494a2c4c83e6b37ce8c928b61bfd9d58f174fac141b2babbc6f7e33

SHA512
9ece33542e7579486ad80cae64a0eb5046806485e74ff69ffc6c97f8101b27f2002f5e8ea230e873bda560662e648cd0b2a20337d5ddc913d27deba2f4c0f61e

Download Submit
C:\Windows\Installer\MSI53F7.tmp
Filesize
1.3MB

MD5
5a36339a5bae618a2ef09d0adab0b602

SHA1
437d251abdcfe4f9379c44336ff5b920df7a0fbf

SHA256
2e1d52eec9169247f75b584f874617ea4702cf2fdf92a4306d84c354a0151674

SHA512
cff119e5b719c8578d199b946fc213074d89195d63bf6cf00dc2c255cc66695d0062da2e916a22d4df4c1bb1e195f69df21c463d144ad9442defe7b3033ead2a

Download Submit
C:\Windows\Temp\{0727E68B-DDD0-4626-ADC7-D1F740BD2D8A}\.cr\vc_redist.x86.exe
Filesize
632KB

MD5
86123c033231dd7e427d619ddeefd26a

SHA1
608c085348fd9c4e124e6f28f0388ccdac6ab2b5

SHA256
d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737

SHA512
ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

Download Submit
C:\Windows\Temp\{165396C3-214E-4707-86BE-E7AC05A6C242}\.cr\PDFXLite10.exe
Filesize
1.4MB

MD5
63ed90cdd501829a2319f8cf86c52bd2

SHA1
da198bec49015e98baa5b2cb91903f659e31dd37

SHA256
529bcd90e571d51a19396cb457bf7eebecf494613030389fa7c5b25b8e42757f

SHA512
d8cc05a5d481e17432125d21d58c2b32696c8b3e6632f911184292a0f0b24910e9dc5cc3ae2bdc6d87e478aef81504aa34520d3bd6813517e4b9347eee0eaa19

Download Submit
C:\Windows\Temp\{4C51FF7B-D418-4A7F-A55D-6A67E353E306}\.ba\logo.png
Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{4C51FF7B-D418-4A7F-A55D-6A67E353E306}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.ba\logo.png
Filesize
5KB

MD5
04967ef5107480ea36b3e2e97af7eb7a

SHA1
6efdd4484dcfcfd45b3c887c852f0abb1a02a645

SHA256
63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21

SHA512
00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

Download Submit
C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.ba\wixstdba.dll
Filesize
203KB

MD5
0ba387d66175c20452de372f8dbb79fe

SHA1
5411d41a7d88291b97fb9573eb6448c72e773b70

SHA256
7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33

SHA512
13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

Download Submit
C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\PkgLite64
Filesize
2.6MB

MD5
e91e50fc80f7d84561db5823595e5b63

SHA1
b3e40b17a668586e86f346e9a7e3b8ef4838d437

SHA256
3203656dcafaf1ae128dae78bab26829bf0c2c9e1c255a8ca15ed176651d8948

SHA512
c9bb45c0882af7a2f5b6294fa2c29202ac529a6f1584e763a00c4812782f8274498a9c008ef0901dd67d895fd448e0eeb19a75cfe98bcd4c050c8856f97e5034

Download Submit
C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab20036D21E40418DD3280D692958B9275
Filesize
378KB

MD5
bed8b8bddf71f7b921c8efac0eb69518

SHA1
df2818992742ed4e80d28a94e1b0f43f280db455

SHA256
3cbfff994fa8a50b2d89e0dc906eefaf50ea16b07acb8ed4478fb2b116fcb8a5

SHA512
5699485985ea856d8ef3e97372e51c98eb81225c18ab5a851e1d8f574c0c9e77986563ad63e9b2118bd42edac0a39a46727306484be71af485955f9e818502d7

Download Submit
C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab20F2A2993791BDD97B003B5578C7EAC7
Filesize
2.3MB

MD5
951b5426340de231c90e0be2780cc66e

SHA1
fd6b966fd3270e53d8b1d660d69d4290b75b8a9d

SHA256
afac74f4b16fbefff34daec002a027abab8d45b6113ce1fde320cbf2b8eec68d

SHA512
038c0a171079502899366abf1101b173468a1a1997dafe94b6d217e26d5f6fec97e0d38fd4f7a70ef3d410dfdd18b7d93b3954776db3fc7ed9e91211492e0fb2

Download Submit
C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab293E212B151FCAC5768C99D66AA8D9AE
Filesize
1.8MB

MD5
f7bd3fbb5859bd43e830b621c8ade037

SHA1
71838fa41b8906bdcb9a64eec599dafd25d92c6f

SHA256
789ca746d45588380841494901a531abcf7a9a184f74af2cf049a77f489f4dc7

SHA512
53dbfde654e6bdaaab257fc3968a50ee7b8e4641bdc739c55ce1697e869ac513a7f2dc72ab92074b062928d56ab6f8083c5fa8a71a16a2f6918cc52f73b81250

Download Submit
C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab5DD1590118F3640F385DB3EB2F516E5C
Filesize
17.1MB

MD5
b8b961c9899ec926b1dd8258b0232626

SHA1
8ed4a38e4a7c856a427a068ec51539f2e630f86c

SHA256
e9c26ae1625eb454e4cd78dd9ac145eeae94190f943b6fc72d250dc3acb703d7

SHA512
5dbcdbaf86bb25029838b93fa5787d9833b3ac2e6861b3df405b7957f1e5355395bcc664f4a550d9d79a7d3f7d98ca740527d5a86ecd0bfe0df3e768016f1877

Download Submit
C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab66549ACD4EE6139A64068CA8626575A9
Filesize
1.5MB

MD5
bf193f70c4ba12e12a592df1cdb17b40

SHA1
e84a6d1cbcdc79926f7defef1ad4b7a8a651b5cb

SHA256
cee91939598abb3ec23ce0dc93c7690421efdca54795997558ef0fc617442a82

SHA512
23077213cb84b84096c93da33f3a23bda28bcda638ec3a9256f4ab064d8bf6f1e2860d32e6713716f35803db92fb30c4f07b0b2accccd914d7bcb75910b63d79

Download Submit
C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab8D36E281ACA51D7FBE9AB973BE9B36E3
Filesize
174KB

MD5
0102ec8e3aa2b964f2d7719dd00de809

SHA1
9a008c6acc5c70c8467621bf4a8e78930e2843a3

SHA256
765cdd18ca4b9c8de8f16035ab46f740a9da9e628f24dbfe16800af41fa3122b

SHA512
ee4f280449bcceb357290c1970914524fcb30931b240591cee3f540fbfe365a81f5d6201eee9e18598163f9be392062ee8cfcdf16d289c4bc2effa6061e69c94

Download Submit
memory/1220-972-0x0000000000950000-0x00000000013E6000-memory.dmp

Filesize
10.6MB

Download
memory/1380-1025-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1384-559-0x0000000010000000-0x00000000101C8000-memory.dmp

Filesize
1.8MB

Download
memory/1532-630-0x00000000009E0000-0x000000000119B000-memory.dmp

Filesize
7.7MB

Download
memory/1908-1026-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1908-964-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2552-810-0x0000000000950000-0x00000000013E6000-memory.dmp

Filesize
10.6MB

Download
memory/2552-963-0x0000000000950000-0x00000000013E6000-memory.dmp

Filesize
10.6MB

Download
memory/2648-667-0x0000000000950000-0x00000000013E6000-memory.dmp

Filesize
10.6MB

Download
memory/3188-20-0x00000000007A0000-0x0000000001236000-memory.dmp

Filesize
10.6MB

Download
memory/3228-1156-0x00000000004D0000-0x0000000001916000-memory.dmp

Filesize
20.3MB

Download
memory/3228-1132-0x0000000002270000-0x0000000002CA9000-memory.dmp

Filesize
10.2MB

Download
memory/3228-1157-0x0000000002270000-0x0000000002CA9000-memory.dmp

Filesize
10.2MB

Download
memory/3576-666-0x0000000005240000-0x00000000052D2000-memory.dmp

Filesize
584KB

Download
memory/3576-567-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/3576-670-0x0000000006140000-0x0000000006162000-memory.dmp

Filesize
136KB

Download
memory/3576-669-0x00000000055A0000-0x00000000055A8000-memory.dmp

Filesize
32KB

Download
memory/3576-572-0x0000000007460000-0x000000000994A000-memory.dmp

Filesize
36.9MB

Download
memory/3576-665-0x00000000056F0000-0x0000000005C96000-memory.dmp

Filesize
5.6MB

Download
memory/3672-13-0x00000000007A0000-0x0000000001236000-memory.dmp

Filesize
10.6MB

Download
memory/3672-12-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/4136-556-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/4480-1031-0x00000000020F0000-0x0000000002B29000-memory.dmp

Filesize
10.2MB

Download
memory/4480-1405-0x00000000020F0000-0x0000000002B29000-memory.dmp

Filesize
10.2MB

Download
memory/4480-1182-0x0000000000010000-0x0000000001628000-memory.dmp

Filesize
22.1MB

Download
memory/4480-1183-0x00000000020F0000-0x0000000002B29000-memory.dmp

Filesize
10.2MB

Download
memory/4480-1404-0x0000000000010000-0x0000000001628000-memory.dmp

Filesize
22.1MB

Download
memory/4488-1131-0x0000000000950000-0x00000000013E6000-memory.dmp

Filesize
10.6MB

Download
memory/4644-1257-0x0000000001EA0000-0x00000000028D9000-memory.dmp

Filesize
10.2MB

Download
memory/4664-355-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4664-33-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4664-15-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4664-7-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4664-710-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4664-101-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4664-32-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4664-1027-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4664-1029-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4736-22-0x00000000007A0000-0x0000000001236000-memory.dmp

Filesize
10.6MB

Download
memory/4788-14-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4788-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4788-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4788-1030-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4964-711-0x000001F5F2230000-0x000001F5F2238000-memory.dmp

Filesize
32KB

Download
memory/4964-676-0x000001F5F0450000-0x000001F5F0460000-memory.dmp

Filesize
64KB

Download
memory/4964-708-0x000001F5F5100000-0x000001F5F75EA000-memory.dmp

Filesize
36.9MB

Download
memory/4964-712-0x000001F5F2270000-0x000001F5F2292000-memory.dmp

Filesize
136KB

Download
memory/5056-17-0x00000000007A0000-0x0000000001236000-memory.dmp

Filesize
10.6MB

Download