Malware Analysis Report

2024-09-11 16:45

Sample ID 240617-vn6wmawhlb
Target FileCenterSetup12.0.16.0.exe
SHA256 df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9
Tags
vidar discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9

Threat Level: Known bad

The file FileCenterSetup12.0.16.0.exe was found to be: Known bad.

Malicious Activity Summary

vidar discovery persistence stealer

Vidar

Adds Run key to start application

Enumerates connected drives

Drops desktop.ini file(s)

Blocklisted process makes network request

Drops file in System32 directory

Checks computer location settings

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Loads dropped DLL

Registers COM server for autorun

Executes dropped EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious behavior: SetClipboardViewer

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Kills process with taskkill

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 17:09

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 17:09

Reported

2024-06-17 17:12

Platform

win10v2004-20240508-en

Max time kernel

99s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"

Signatures

Vidar

stealer vidar

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{3780ab31-c524-4f3b-a4db-79d692700a62} = "\"C:\\ProgramData\\Package Cache\\{3780ab31-c524-4f3b-a4db-79d692700a62}\\PDFXLite10.exe\" /burn.runonce" C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Windows\System32\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{45A36FCD-0295-4FAE-B24C-6F3BF9C760D1}\.cr\PDFXLite10.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File opened for modification C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File opened for modification C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-M07RP.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-F69IJ.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-PF716.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-J5SQ2.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-8THFG.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.pt-PT.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\is-I7370.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-A9TMD.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-ESKRB.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.gl-ES.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\DTKBarReader.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineTR.exe C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrstiff15.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-CFA43.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.az-Latn-AZ.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.fr-FR.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-BHFHI.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-1PJCI.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-7ETE7.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.de-DE.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\Separators.exe C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineOM.exe C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-5N81D.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.zh-TW.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\is-CNRFK.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-R5U8K.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-654SQ.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.zh-CN.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsbarcodeevoi.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\iristestapp.exe C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrs_sentinel_software_protection15.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-9K5OF.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsasian315.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-63FS1.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.az-Latn-AZ.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Help\fc-automate.chm C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-MIF1N.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInst.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.ca-ES.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\is-H9922.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-5TO2P.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.he-IL.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\PrnInstaller.exe C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.Imaging.Rendering.Skia.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAddin64.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.zh-TW.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\is-F8R1N.tmp C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\secman.dll.log C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.zh-CN.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterConnect.exe C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-G55RA.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-R0M66.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-AMOJU.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrspdf15.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-O8DQM.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Samples\is-IHQ6I.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-HEDHM.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterScanner.exe C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrs15_wrapper.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Jpeg.dll C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-AICFH.tmp C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIFA05.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58c02e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF191.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF26D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF473.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF2CB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF30B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF4C2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF82E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF977.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58c032.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58c02e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF0D3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF122.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{6318D993-1BE8-4BE4-B9E9-D6BFED11A071} C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{331B6960-7970-4C89-813D-E58F0E6F92C8}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe N/A
N/A N/A C:\Windows\Temp\{45A36FCD-0295-4FAE-B24C-6F3BF9C760D1}\.cr\PDFXLite10.exe N/A
N/A N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Temp\{331B6960-7970-4C89-813D-E58F0E6F92C8}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{45A36FCD-0295-4FAE-B24C-6F3BF9C760D1}\.cr\PDFXLite10.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{021BDF87-EEFB-4384-9183-F8170E3DC459}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.2.69.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.2.69.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\14.2.69.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\Class = "GdPicture14.GdViewer" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.2.69.0\Class = "GdPicture14.GdPictureSegmenter" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24DFB749-780D-41B4-9BE3-8894D202B944}\LocalServer32\ = "\"C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\pdfSaver5.exe\"" C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DF179B8-96F1-4F3E-9338-DFEEB61B810A}\LocalServer32\ = "\"C:\\Program Files\\Tracker Software\\Update\\TrackerUpdate.exe\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.69.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\Class = "GdPicture14.PDFReducerConfiguration" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.69.0\Class = "GdPicture14.ThumbnailEx" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40} C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe" C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\" C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AC305882-1ABA-3F2C-A65E-21C65724405D}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91F594C1-7C1A-465D-BC9C-004E2FD7C6C4}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EDC5163-6E6C-411C-994F-FD3FD74483DE}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C6E22F-8BE0-454F-9BEB-0AA6BAD031D0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D63F369-74F5-4C4B-A203-B68374F6A35A}\ = "IPdfOcrOptions" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dten600.IndexJob\ = "IndexJob Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF79EF22-544F-4E0B-8557-57A7950A507C}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{048DF9C9-E6DB-303F-A676-F6C241423050}\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{09EA520D-7D38-4CB7-A9A4-75D3091D1886}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56169002-DDE6-3E69-B5A6-F822875A8F98}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8594B97D-DE56-3238-8D69-6888903637B2}\14.2.69.0\Class = "GdPicture14.OCRSpecialContext" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F578A25-D034-35D4-86DE-F5B986E0AC71}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4EDC5163-6E6C-411C-994F-FD3FD74483DE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{12A37198-695A-3C12-B1A1-A55E89A5753F}\14.2.69.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1FB2340C-1E2A-3B9C-A78E-28C55F46EC7C}\14.2.69.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FF9C4E60-328E-3A72-8F5D-E49FED1E8CF3}\14.2.69.0\Class = "GdPicture14.TwainCapabilities" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{443882E6-D69C-4E94-A9A6-F2D6D856CC16}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B148BBD-F357-4166-A073-16B44503B6AC}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EF5FC277-ED69-3343-8AF7-B140C21CE2E2}\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{29ABE265-6CDB-3D02-B577-CA01A9859877}\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DEF6A2E-AE0C-33DB-907D-F5C2153DE192}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4C199F2-0F2A-4E4A-80C9-F5B36D96F527}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8756C601-DB33-3E27-A201-89D054D1148A}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AC305882-1ABA-3F2C-A65E-21C65724405D}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BDC35748-A9B4-31C9-8D53-E3A5647D701D}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E6B3C777-1FFC-3498-A081-729A1A623397}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EE073683-21DE-3474-A8EF-128FD3A5CE81}\14.2.69.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{732F9719-9EA7-3026-A19D-D320EDAC3088}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B430FB9-7FBB-4645-94BC-76E917FFCE42}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EBB31E2-2E6A-4463-B53B-EA7C502D564D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2D544A1-449E-46A1-83EB-DD4A261BA283} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53674462-76AA-41A3-A5A3-5241912E4222}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DA36BE4-B5F2-4B33-9D8C-72593FEBDF99} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A12D321-718B-3588-A18A-F7F236C6CB46}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lbvProt.ProtocolHandler\ = "CProtocolHandler Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{999A6C12-A602-4601-9866-0B9AE973B7F2}\ = "IUIX_Ruler" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{93C19653-9C8D-3058-B701-31E0263CF0D6} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DAAB4CCC-0DED-382B-B4B8-533519BED688}\14.2.69.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4F44B54-E71F-41F9-95E7-401437931922}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\Implemented Categories C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6E145F8-828D-36C9-9FAD-24DAFD63BE9A}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3862573D-5BFA-3850-ABBF-016FCCAF161F}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{AE9FE02C-2917-3CDF-83C6-040C869E2504}\14.2.69.0\Class = "GdPicture14.PdfColorSpace" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49423ABA-6AC6-3259-BF41-09893EEE9A32} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8C2F816-B4B2-311D-BAA8-EF842F78E378}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{097275F3-B4E1-4219-97B2-8E1B17C5E4EE}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0BCE7AC-1387-4C70-9184-912EB94AE3ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E17795EB-5144-3228-979F-A1013FE7C79B}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{697DF022-B24E-11D3-B57C-00105AA461D0}\TypeLib\ = "{A967E5C4-B0E1-11D3-B57C-00105AA461D0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FF9C4E60-328E-3A72-8F5D-E49FED1E8CF3}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{71C80989-F318-3838-8A71-65669C415BD0}\14.2.69.0\Class = "GdPicture14.ColorDropoutFilter" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A967E5C4-B0E1-11D3-B57C-00105AA461D0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E44BB2E-FE28-495A-9D65-B4845C676567}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{107507E4-8258-4E89-9167-CADCD46059BB}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{264197D5-6440-3006-8548-E33267CA93BA}\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55767E02-2E2D-47FB-A666-BB6B3498521D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35A751A3-6421-43CE-A2C3-AF90882A8875} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3C2B51C-003A-4D39-A90A-BB4486BF1E2C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1987CCA-CF31-47CE-932A-A19A07AFBAB2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CED0F57-B96A-4CF2-83B8-130E544A2644}\ = "IPXV_BookmEvent" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp
PID 2976 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp
PID 2976 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp
PID 2060 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 2060 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 2060 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 2060 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 2060 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 2060 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 2060 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 2060 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 2060 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 1432 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1432 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2060 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 2060 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 2060 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
PID 3356 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3356 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2060 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 2060 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 2060 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 4080 wrote to memory of 3948 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4080 wrote to memory of 3948 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4080 wrote to memory of 3948 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4080 wrote to memory of 1172 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$701CA,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe" -CLOSEALL

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe" -INSTBEG

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart

C:\Windows\Temp\{331B6960-7970-4C89-813D-E58F0E6F92C8}\.cr\vc_redist.x86.exe

"C:\Windows\Temp\{331B6960-7970-4C89-813D-E58F0E6F92C8}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Temp\{45A36FCD-0295-4FAE-B24C-6F3BF9C760D1}\.cr\PDFXLite10.exe

"C:\Windows\Temp\{45A36FCD-0295-4FAE-B24C-6F3BF9C760D1}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=540 -burn.filehandle.self=552 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe

"C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{019FC21B-785F-4260-B83B-5E6AEE9AEFB6} {968BB185-F9EF-45E6-A671-B27254E79B08} 3344

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 66342A5A573178976D159FCD1D69914C

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding CE2A3E5C0DAAD649A6D94B8CDE415D60 E Global\MSI0000

C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER

C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp" /SL5="$40304,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer

C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe

"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp

Files

memory/2976-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2976-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp

MD5 0acf3c16e6faca9c0aec525f53d03866
SHA1 5c3960b48d2b72ad02e59470d8a7b690ee826f9e
SHA256 2c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151
SHA512 17d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2

memory/2060-6-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe

MD5 e9638374a27160513f1a62827b6cf102
SHA1 b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f
SHA256 c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942
SHA512 9632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c

memory/1212-12-0x0000000005020000-0x0000000005021000-memory.dmp

memory/1212-13-0x00000000009A0000-0x0000000001436000-memory.dmp

memory/2976-14-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2060-15-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2060-17-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3336-19-0x00000000009A0000-0x0000000001436000-memory.dmp

memory/2060-21-0x0000000000400000-0x000000000071A000-memory.dmp

memory/1432-23-0x00000000009A0000-0x0000000001436000-memory.dmp

memory/3356-25-0x00000000009A0000-0x0000000001436000-memory.dmp

memory/2060-50-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2060-356-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe

MD5 879d5b401a73cc57a3166ba01ce70c60
SHA1 ee8b47af48514a3b65f4ee838c95e7a3a64d3434
SHA256 82da544c9d730c17c34a253c29fd7d621e8cdc064e0220c27e43bb0dd60c4ebe
SHA512 6e49343acca8ab878b4cf9e12ce4d796decd7f44c7068f8d90f5ad2eebbab31c15c82bbf66bcb571120a9bf8e375055558308d00b66053591c6ec94fb514b3b6

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

MD5 b9718823c993fccb6352cc0210993569
SHA1 4d551f7cafd0040ff9657ca644c1365f3e7847ae
SHA256 a173ba320929c93b9bf41186a0692d753da812b8691dcc416c16abdf004dbf89
SHA512 6e513ef7535539cff90e88b95c5f57bb9e262cebbf1e51bc8268595347fbf06f628cf16eaa974d7eccd2a285ff2f8f56867c4292c1fe4fb7b0ee90f5acee9747

C:\Program Files (x86)\FileCenter\Main\dten600.dll

MD5 22cf875a0cf0ad89f5f7d7ac6628a598
SHA1 c2a9620579a08d6a91557e6cb8f1d2585392d30d
SHA256 11ef1b8791cfd8fee0923ec685ae1d29485349ce7d2d37a15ae1615e8d646baf
SHA512 3b59898730a9eb4a8f4347b8c854983636b28f6641b072fdd0d7f9190b905fc9b03dcf204154072048dc1a6a24785d2aead865b5bf160c9af9df87cf4175c608

C:\Program Files (x86)\FileCenter\Main\lbvProt.dll

MD5 120387e48d0556538ef3ee68de18a707
SHA1 0633de57f7ef851115be39d407db8e08986b3d93
SHA256 e202172ad8799ee0feee2559ac06f2cf75530f702f7e11d0cb4c1b3ec57eae4e
SHA512 a7509c2822bd7f08b5e67dfbd3d9ac701639599b5681966f5276f51e60608dcd7dafaa953f7589d99de7ba7b68eaa56be0ecb2c074f5c4ba6ba114880507b1da

C:\Program Files (x86)\FileCenter\Main\VSTwain.dll

MD5 13f5f7e228ce2b8a3a41dbad4e451279
SHA1 1b3837572602b2620b75bf2ad2aeab89a64f5287
SHA256 11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292
SHA512 24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

memory/4332-559-0x0000000010000000-0x00000000101C8000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll

MD5 2b9bbd88d6b6a3b7c417cbb0eae69bf4
SHA1 c43ab9fa5c1085ba21280d143f8b8322d6a93883
SHA256 1e5f8dbd4c08faf3a0a84b6af17454d9d21459618b411696b9604af80ee9fc0f
SHA512 f07ae3e76066960a3b657146b83da724ca13873edd82d7314d048593c3e6021ced3297459d46a30daf95189631bfd4c941e44d91433549dcc70efb5407543a30

memory/1172-562-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini

MD5 70da425f8aac14b1484047edb83e60e8
SHA1 69d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256 258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512 a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

C:\Program Files (x86)\FileCenter\Main\secman.dll

MD5 085d87f49daf13496e0e018c4008fae6
SHA1 4b0c3058b8ace7e8242c941b449daa968f5b45c7
SHA256 d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15
SHA512 52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

memory/236-567-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll

MD5 d9806fd0eeafd9f89e0473ad52889283
SHA1 d6fca558897aaa6703129557e2d02b1a84765dcb
SHA256 aa2aafe588aecd1a10bf05dcd675143061a55bcd5bc83bd749bde7b85d21dbc6
SHA512 796c609dc6fa4c6fe1e6909ae3a4a22cc06c900f34b999d77a9805767f69f1b1d96a99e9ee03ad6ab68e7f6bb5fa3269c1d73db4af68a2834bfd5cbf2fe91422

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

MD5 35b40b21383ac38487ceec8ab6e53565
SHA1 59894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256 caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA512 3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

memory/236-572-0x0000000007EB0000-0x000000000A39A000-memory.dmp

C:\ProgramData\FileCenter\Config.ini

MD5 b2ad8f8dcc45644ea167317d050faac4
SHA1 215091d6ad9d4f210b85e675b17c60a7300ca9b1
SHA256 9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0
SHA512 528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

MD5 42d9ffbb0b7ef3cbdeb0c005619b12fb
SHA1 fbaed95c25aa26c43121e8421b5154e9e5dcdca0
SHA256 59e5b75c18c82acf2d94a1fd9b0a67af6795d594e1f837df1a80eec66671d307
SHA512 c77b91ca41b13bb471ced5346f998805430a33e210c09c0d7e0b0a7573d9e95da1bc5e351df08c871e1c3e962b3ec4b9fdb5ef5cc806fd87ef42f50ddd99d7cb

C:\Windows\Temp\{331B6960-7970-4C89-813D-E58F0E6F92C8}\.cr\vc_redist.x86.exe

MD5 86123c033231dd7e427d619ddeefd26a
SHA1 608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256 d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512 ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

C:\Windows\Temp\{8E651816-596C-4DA0-8F8A-1FB26470B1D7}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{8E651816-596C-4DA0-8F8A-1FB26470B1D7}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

memory/2520-630-0x0000000000140000-0x00000000008FB000-memory.dmp

memory/236-655-0x0000000006160000-0x0000000006704000-memory.dmp

memory/236-666-0x0000000005CB0000-0x0000000005D42000-memory.dmp

memory/4080-667-0x0000000000C60000-0x00000000016F6000-memory.dmp

memory/236-669-0x0000000006010000-0x0000000006018000-memory.dmp

memory/236-670-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlb

MD5 2181937aa6a592be4b93413a2bcc274e
SHA1 c7f3c0c3ab00361c832d9f534221b7557ffb1f8c
SHA256 e5c02ad38b4db63d4615961ce52261c568ba94b6190969a84e3d9dc0fad75c85
SHA512 e36676d71906fa95a4ab389b43b35de381a1ece23092171c5de23e1b0e98f650b84c166a319c2417a303141e4fda9509b4db7277d34585fb9a4ac6f0e44dca8f

memory/2060-674-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe

MD5 4c61ee01d5b84db67c38c10d3f210f39
SHA1 844eab66505dc4eb88dec70c3f20307365c350ac
SHA256 a7e10bda5cb2e1c347b2ee682385fd56ff5da05c659c665abc0b526f639a5583
SHA512 a44a2bd871c9f0f654b0e627accc9d4388390e5e5b7326a3372a103886d74b89ab78e235e1b986da9acf0f08fdf45b642ec26000bbe32de92a44b1978f4c2f80

memory/3308-676-0x000001D5B73B0000-0x000001D5B73C0000-memory.dmp

memory/3308-679-0x000001D5D3F30000-0x000001D5D641A000-memory.dmp

C:\Windows\Temp\{45A36FCD-0295-4FAE-B24C-6F3BF9C760D1}\.cr\PDFXLite10.exe

MD5 63ed90cdd501829a2319f8cf86c52bd2
SHA1 da198bec49015e98baa5b2cb91903f659e31dd37
SHA256 529bcd90e571d51a19396cb457bf7eebecf494613030389fa7c5b25b8e42757f
SHA512 d8cc05a5d481e17432125d21d58c2b32696c8b3e6632f911184292a0f0b24910e9dc5cc3ae2bdc6d87e478aef81504aa34520d3bd6813517e4b9347eee0eaa19

C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.ba\wixstdba.dll

MD5 0ba387d66175c20452de372f8dbb79fe
SHA1 5411d41a7d88291b97fb9573eb6448c72e773b70
SHA256 7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33
SHA512 13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.ba\logo.png

MD5 04967ef5107480ea36b3e2e97af7eb7a
SHA1 6efdd4484dcfcfd45b3c887c852f0abb1a02a645
SHA256 63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21
SHA512 00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

memory/3308-711-0x000001D5B9010000-0x000001D5B9018000-memory.dmp

memory/3308-712-0x000001D5B9050000-0x000001D5B9072000-memory.dmp

memory/2404-718-0x0000000000C60000-0x00000000016F6000-memory.dmp

C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\PkgLite64

MD5 e91e50fc80f7d84561db5823595e5b63
SHA1 b3e40b17a668586e86f346e9a7e3b8ef4838d437
SHA256 3203656dcafaf1ae128dae78bab26829bf0c2c9e1c255a8ca15ed176651d8948
SHA512 c9bb45c0882af7a2f5b6294fa2c29202ac529a6f1584e763a00c4812782f8274498a9c008ef0901dd67d895fd448e0eeb19a75cfe98bcd4c050c8856f97e5034

C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab20F2A2993791BDD97B003B5578C7EAC7

MD5 951b5426340de231c90e0be2780cc66e
SHA1 fd6b966fd3270e53d8b1d660d69d4290b75b8a9d
SHA256 afac74f4b16fbefff34daec002a027abab8d45b6113ce1fde320cbf2b8eec68d
SHA512 038c0a171079502899366abf1101b173468a1a1997dafe94b6d217e26d5f6fec97e0d38fd4f7a70ef3d410dfdd18b7d93b3954776db3fc7ed9e91211492e0fb2

C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab5DD1590118F3640F385DB3EB2F516E5C

MD5 b8b961c9899ec926b1dd8258b0232626
SHA1 8ed4a38e4a7c856a427a068ec51539f2e630f86c
SHA256 e9c26ae1625eb454e4cd78dd9ac145eeae94190f943b6fc72d250dc3acb703d7
SHA512 5dbcdbaf86bb25029838b93fa5787d9833b3ac2e6861b3df405b7957f1e5355395bcc664f4a550d9d79a7d3f7d98ca740527d5a86ecd0bfe0df3e768016f1877

C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab293E212B151FCAC5768C99D66AA8D9AE

MD5 f7bd3fbb5859bd43e830b621c8ade037
SHA1 71838fa41b8906bdcb9a64eec599dafd25d92c6f
SHA256 789ca746d45588380841494901a531abcf7a9a184f74af2cf049a77f489f4dc7
SHA512 53dbfde654e6bdaaab257fc3968a50ee7b8e4641bdc739c55ce1697e869ac513a7f2dc72ab92074b062928d56ab6f8083c5fa8a71a16a2f6918cc52f73b81250

C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab66549ACD4EE6139A64068CA8626575A9

MD5 bf193f70c4ba12e12a592df1cdb17b40
SHA1 e84a6d1cbcdc79926f7defef1ad4b7a8a651b5cb
SHA256 cee91939598abb3ec23ce0dc93c7690421efdca54795997558ef0fc617442a82
SHA512 23077213cb84b84096c93da33f3a23bda28bcda638ec3a9256f4ab064d8bf6f1e2860d32e6713716f35803db92fb30c4f07b0b2accccd914d7bcb75910b63d79

C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab8D36E281ACA51D7FBE9AB973BE9B36E3

MD5 0102ec8e3aa2b964f2d7719dd00de809
SHA1 9a008c6acc5c70c8467621bf4a8e78930e2843a3
SHA256 765cdd18ca4b9c8de8f16035ab46f740a9da9e628f24dbfe16800af41fa3122b
SHA512 ee4f280449bcceb357290c1970914524fcb30931b240591cee3f540fbfe365a81f5d6201eee9e18598163f9be392062ee8cfcdf16d289c4bc2effa6061e69c94

C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab20036D21E40418DD3280D692958B9275

MD5 bed8b8bddf71f7b921c8efac0eb69518
SHA1 df2818992742ed4e80d28a94e1b0f43f280db455
SHA256 3cbfff994fa8a50b2d89e0dc906eefaf50ea16b07acb8ed4478fb2b116fcb8a5
SHA512 5699485985ea856d8ef3e97372e51c98eb81225c18ab5a851e1d8f574c0c9e77986563ad63e9b2118bd42edac0a39a46727306484be71af485955f9e818502d7

C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txt

MD5 68a333e2babb9b759461e533dcebe58a
SHA1 e5b40bc94e43efa537ef85f186ec82c074ce19a3
SHA256 fa2b8a085eface99ae0c851a1472b4aa485f3c25f720289a45c049a17d3e5ff9
SHA512 39fa33c345e19a31a630807be2f21adff06ee4da0451997b002213ad9d4e74bc6478d391e53df5562c270510604f4055d63aa15a3673c677bd76405fb84bf711

C:\Windows\Installer\MSIF0D3.tmp

MD5 5a36339a5bae618a2ef09d0adab0b602
SHA1 437d251abdcfe4f9379c44336ff5b920df7a0fbf
SHA256 2e1d52eec9169247f75b584f874617ea4702cf2fdf92a4306d84c354a0151674
SHA512 cff119e5b719c8578d199b946fc213074d89195d63bf6cf00dc2c255cc66695d0062da2e916a22d4df4c1bb1e195f69df21c463d144ad9442defe7b3033ead2a

C:\Users\Admin\AppData\Local\Temp\prnInstaller.log

MD5 aa8de721ff57a808e13ef78cdcb2fa8c
SHA1 a011ba3bdc7cad20cb557bb9dea70390cf6bf3ed
SHA256 9de0d6ffab3c0f96fe8353f6510679d89e936981948446b2001132737e157084
SHA512 28888018313fc2bc787e729f6ec7219b1d156fb56390e3ff7a5be62e0ec93cf788d361d438c43bcb38f20c51c8d81996ccb9ea6a5d764180f3784e9ab9f0dc13

C:\Config.Msi\e58c031.rbs

MD5 c8cb28d3ed89380cdf048f4ee33e5cad
SHA1 60f3ac0a19bb990ba961c416c4eed495f595fd81
SHA256 6b01c4d0804db99865bcb1e799022dee0218df2c5a59f12b0be1a1788cd00f46
SHA512 aa5d51182bf8691a34097d11123b230fd446b05c24ec466f8d1f4b4be6b3be6698d67d0fcbc32fbbff01f50024d53c3ea0b7274052d923e158bdbffeca208a97

memory/2404-958-0x0000000000C60000-0x00000000016F6000-memory.dmp

memory/2404-959-0x0000000000C60000-0x00000000016F6000-memory.dmp

memory/3508-961-0x0000000000400000-0x0000000000428000-memory.dmp

memory/684-965-0x0000000000C60000-0x00000000016F6000-memory.dmp

C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll

MD5 2fbf69d014ae135d473ec8243d44be9e
SHA1 2c28d3b23d8ff061ae554ccd92aec93900e3cb2b
SHA256 6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3
SHA512 530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

memory/3308-1021-0x0000000000400000-0x000000000052C000-memory.dmp

memory/3508-1022-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2060-1024-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2976-1025-0x0000000000400000-0x00000000004D8000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 17:09

Reported

2024-06-17 17:12

Platform

win11-20240611-en

Max time kernel

84s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"

Signatures

Vidar

stealer vidar

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe" C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{3780ab31-c524-4f3b-a4db-79d692700a62} = "\"C:\\ProgramData\\Package Cache\\{3780ab31-c524-4f3b-a4db-79d692700a62}\\PDFXLite10.exe\" /burn.runonce" C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Windows\System32\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File created C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File opened for modification C:\Windows\system32\pxcpmL.dll C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
File opened for modification C:\Windows\system32\pxc50pm.dll C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
File created C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAutomate.exe C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Tips\is-S3UTN.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-TC5OQ.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.it-IT.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.ko-KR.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.ru-RU.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsbarcodeevoi.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\VSTwain.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Curl.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-6FPM2.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-56KAV.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.de-DE.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\is-N9OF5.tmp C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrspng15.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-ME9QM.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\fonts\is-ACB01.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-S6SOH.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-GRA19.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-M3AON.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-DDUML.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-0IQOA.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.ar-SA.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\is-GDHE9.tmp C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\is-ISGHE.tmp C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\dten600.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Tips\is-BC7DU.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-IDRRE.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.sl-SI.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Tracker Software\Vault\XCVault.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.ca-ES.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\ISYS11df.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\secman64.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-9N0N2.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.es-ES.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.hr-HR.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\PrnInstaller.exe C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Samples\is-BNQI6.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.barcode.1d.reader.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-64HKO.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.es-ES.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.sw-KE.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\FileCenter\Main\Tips\is-PVLT3.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Tips\is-B894J.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-34TA8.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-SAJMQ.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Help\fc-receipts.chm C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsdmtxbarcodewrapper15.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-8IIT7.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-8AQTF.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-PDRLI.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-LHDKH.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-UHALA.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.nl-NL.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.it-IT.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.lt-LT.xcl C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\Plugins.x86\FowpKbd.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-MNH15.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files (x86)\FileCenter\Main\is-BFJJJ.tmp C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.pt-PT.xcl C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\x86\pxcdrvL.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsprepro15.dll C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineSI.exe C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI5650.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFFB55466E920F8FB0.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5506.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI55C2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5437.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI54B6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI54D6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{6318D993-1BE8-4BE4-B9E9-D6BFED11A071} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI53F7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585032.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF054A37D9107D8A9A.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5C5D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5AB6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58502e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5438.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF89695EB81DCEBB25.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5CAC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58502e.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF064DF0761007DD87.TMP C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{0727E68B-DDD0-4626-ADC7-D1F740BD2D8A}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe N/A
N/A N/A C:\Windows\Temp\{165396C3-214E-4707-86BE-E7AC05A6C242}\.cr\PDFXLite10.exe N/A
N/A N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A
N/A N/A C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Temp\{0727E68B-DDD0-4626-ADC7-D1F740BD2D8A}\.cr\vc_redist.x86.exe N/A
N/A N/A C:\Windows\Temp\{165396C3-214E-4707-86BE-E7AC05A6C242}\.cr\PDFXLite10.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\Class = "GdPicture14.AnnotationManager" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\14.2.69.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\Class = "GdPicture14.GdViewer" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\Class = "GdPicture14.PDFReducerConfiguration" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.69.0\Class = "GdPicture14.LicenseManager" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\14.2.69.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\14.2.69.0\Class = "GdPicture14.AnnotationManager" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\Class = "GdPicture14.GdPictureDocumentConverter" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\Class = "GdPicture14.ThumbnailEx" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.2.69.0\Class = "GdPicture14.GdPictureImaging" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\Class = "GdPicture14.BookmarksTree" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\14.2.69.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\14.2.69.0\Class = "GdPicture14.GdPictureSegmenter" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.69.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\WOW6432Node\CLSID\{021BDF87-EEFB-4384-9183-F8170E3DC459}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\Class = "GdPicture14.GdPictureDocumentUtilities" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0\Class = "GdPicture14.GdViewer" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\ = "C:\\Windows\\system32\\mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\Class = "GdPicture14.GdPictureImaging" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\14.2.69.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D}\InprocServer32\Class = "GdPicture14.Imaging.GdPictureRectangleF" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ee7f732e8cf5793f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ee7f732e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ee7f732e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dee7f732e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ee7f732e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\" C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40} C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe" C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{816CDC47-C3A9-4671-A17C-790D90CD38E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D9725FB-C4AE-3241-87C2-74EB5AEF08C5}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1B4807E-65DB-4FE7-88FE-DB703CF57807}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{579D24AF-3D4A-37C4-83F9-4425875420C6} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFE955F3-4ADE-4C79-B40A-8DD1955A328F}\ = "IScopeTable" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CCBAA52-8111-4806-B7EA-E0672F8382CD}\ = "IUIX_IndexNavigator" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{107507E4-8258-4E89-9167-CADCD46059BB}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{757D1792-2ABC-3FDB-8D16-FB2D4CFD8C57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PDFXEdit.PXV_Control\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1CB9426-FA08-4829-8470-C8C7FF7F7A00}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75738A39-DE0A-3278-A2A6-44414D88375A}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BB55E4-30AD-3EE8-A1F7-58A9B4A6F59D}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F437265A-6A1D-3D0B-BAD6-927B3FBD1870}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C341E89-9DC0-4DDA-94D1-BE06A410FC14}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1F453A2D-3447-3EA2-8BF2-72D23DBE1763}\14.2.69.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{999A6C12-A602-4601-9866-0B9AE973B7F2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB7399B9-914D-3C44-92A1-D3D8E9E0E0B7}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\InprocServer32\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{98A91833-FF3A-34C5-8687-A7D4FBCD758C}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{697DF02C-B24E-11D3-B57C-00105AA461D0}\ = "IWordListBuilder" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0AAB4D6-161B-4ED0-8BA2-BDD15BF79C47}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27F3CABC-31C1-4B29-A782-B68D4F4EA61A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3032FD95-B715-3197-9D59-72A49D4406CC} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A967E5D1-B0E1-11D3-B57C-00105AA461D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4F44B54-E71F-41F9-95E7-401437931922}\ = "IUIX_ObjImpl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E71F605-B8D3-4478-BDBA-7021069C464F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A018E70A-4E56-44ED-8E14-BB82ED650C38} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF79EF22-544F-4E0B-8557-57A7950A507C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BB55E4-30AD-3EE8-A1F7-58A9B4A6F59D} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{728DE4F5-1EC1-36CD-A66A-2A879E0CD577}\ = "_AnnotationPolygon" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21934FDF-3C12-386C-AF83-930445E4BF5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4C199F2-0F2A-4E4A-80C9-F5B36D96F527}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD7FAFAA-9748-4CFC-B134-D3B2CA96B4F8}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CB6A5453-A446-37E7-94AA-69FFAA6BAEF8}\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74CB8E24-D85D-4A6D-BE72-AF57F21A1034}\ = "IPXV_OpenFilesDlgRes" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8934FF21-97DD-3A3A-A58D-327BAA701B1E}\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{770AC2F7-EEDB-3BD2-929D-A31F37ECA030}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD3E64CE-677F-4A57-89A3-08250712CCF2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D0BCE7AC-1387-4C70-9184-912EB94AE3ED} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{14587E1E-35FA-4716-AE19-A18E355EFA17} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{09EA520D-7D38-4CB7-A9A4-75D3091D1886}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8E2CC9E0-0E1D-3BB4-978C-49CB86E5389F}\14.2.69.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8EEA099A-C845-39D0-855A-48DDD6387A2C}\14.2.69.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE4EB426-7321-3D5B-A255-694F9D887551}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E09B1C3C-4818-319E-8C07-BCEAB34C5DF6}\ProxyStubClsid32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5CABA2F-B413-4C6F-94B6-0B573AFD07EB}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4813FAB2-FDF6-3ACA-8C00-511671D1214B}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB2B171B-0765-3453-975D-05DDFAC1DACA}\TypeLib C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B6910CD2-DD1E-3C78-BE53-5F96E5EF96BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FBA9A67E-B04B-344A-87F1-EEA9EBDBB4A9}\14.2.69.0\Class = "GdPicture14.ViewerDocumentPosition" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24DFB749-780D-41B4-9BE3-8894D202B944}\Programmable C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{419BF6AA-AA35-3FBC-B01B-554F71547437}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3BBC168-3896-467E-9C5D-D46845C0E25E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE52AAD-8807-46DA-8EF6-C20E2E8AEF2D}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1491043E-1B4D-489D-BED8-B9E2E7598289}\TypeLib\Version = "e.2" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F6F77C6-6570-3583-B9E4-95C1551B0455}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A423192-ADF5-313F-A768-6FCD2AA5192D} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A967E5D2-B0E1-11D3-B57C-00105AA461D0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63375FB3-4F89-42F0-8090-209E954EBA1A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C6E22F-8BE0-454F-9BEB-0AA6BAD031D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4BB41F56-27B6-359C-9BA5-13E1D21488BF}\14.2.69.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B27E7FF-6279-49DA-AE6B-8E13AD665B1F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A
N/A N/A C:\Program Files (x86)\FileCenter\Main\FileCenter.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp
PID 4788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp
PID 4788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp
PID 4664 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4664 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4664 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4664 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4664 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4664 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4664 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4664 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4664 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 3188 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3188 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4664 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4664 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4664 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe
PID 4736 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4736 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 4664 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 4664 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 4664 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
PID 2648 wrote to memory of 4864 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 4864 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 4864 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2648 wrote to memory of 4136 N/A C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$30232,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe" -CLOSEALL

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe" -INSTBEG

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterPortal.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReceipts.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterReports.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileAgent.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart

C:\Windows\Temp\{0727E68B-DDD0-4626-ADC7-D1F740BD2D8A}\.cr\vc_redist.x86.exe

"C:\Windows\Temp\{0727E68B-DDD0-4626-ADC7-D1F740BD2D8A}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /install /quiet /norestart

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb

C:\Windows\Temp\{165396C3-214E-4707-86BE-E7AC05A6C242}\.cr\PDFXLite10.exe

"C:\Windows\Temp\{165396C3-214E-4707-86BE-E7AC05A6C242}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=728 -burn.filehandle.self=556 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe

"C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{B8D66ED0-C35F-4C28-962A-9CD937E39C36} {C0094944-0F1D-4E8D-ABBF-746FFC0FD310} 1596

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 6CE7BD2C2B51D99BA20D5947E6279BC7

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding B56DEC7FA55129A3BE48A99DFC97BF93 E Global\MSI0000

C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER

C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TKGBK.tmp\PDFX5SA_sm.tmp" /SL5="$80248,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe

"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer

C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe

"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe

"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -OLOFF

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterAgent.exe

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.filecenter.com/action.php?Action=Welcome&Refresh=1&ProductKey=&KeyID=-1&PTID=1&SourceID=-1&CustomID=-1&VerID=-1&PartnerID=0&WelcomeID=0&Version=12.0.16.0&CN=NIOJEVYY&UN=Admin&Trial=0&DaysLeft=0&s=&cnt1=&cnt2=&cnt3=&cnt4=&cnt5=&cnt6=&cnt7=&cnt8=&cnt9=&x=1235

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8e2993cb8,0x7ff8e2993cc8,0x7ff8e2993cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe

"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,17446455539315167490,27881596031288773,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4724 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D4

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterThumbs.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /T /IM FileCenterScanner.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 98.129.229.7:80 assets.filecenter.com tcp
US 98.129.229.7:80 assets.filecenter.com tcp
US 98.129.229.7:443 assets.filecenter.com tcp
US 98.129.229.7:443 assets.filecenter.com tcp
US 98.129.229.7:443 assets.filecenter.com tcp
US 98.129.229.7:443 assets.filecenter.com tcp
US 98.129.229.7:443 assets.filecenter.com tcp
US 98.129.229.7:443 assets.filecenter.com tcp
US 98.129.229.7:443 assets.filecenter.com tcp
US 8.8.8.8:53 assets.calendly.com udp
US 8.8.8.8:53 code.jquery.com udp
US 8.8.8.8:53 ws.zoominfo.com udp
US 8.8.8.8:53 static.zdassets.com udp
US 104.18.41.175:443 assets.calendly.com tcp
US 151.101.194.137:443 code.jquery.com tcp
US 104.18.70.113:443 static.zdassets.com tcp
US 104.16.118.43:443 ws.zoominfo.com tcp
US 104.18.41.175:443 assets.calendly.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
BE 2.17.107.209:80 apps.identrust.com tcp
BE 2.17.107.209:80 apps.identrust.com tcp
BE 2.17.107.209:80 apps.identrust.com tcp
BE 2.17.107.209:80 apps.identrust.com tcp
US 18.239.208.55:443 static.hotjar.com tcp
US 204.79.197.237:443 bat.bing.com tcp
GB 163.70.147.23:443 connect.facebook.net tcp
GB 142.250.187.194:443 googleads.g.doubleclick.net tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
BE 108.177.15.156:443 stats.g.doubleclick.net tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.200.3:443 www.google.co.uk tcp
BE 108.177.15.156:443 stats.g.doubleclick.net tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.200.3:443 www.google.co.uk udp
US 104.18.70.113:443 static.zdassets.com tcp
US 18.239.208.43:443 script.hotjar.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 156.15.177.108.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 43.208.239.18.in-addr.arpa udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 104.16.53.111:443 lucion.zendesk.com tcp
IE 52.215.226.194:443 widget-mediator.zopim.com tcp

Files

memory/4788-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4788-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FB3TF.tmp\FileCenterSetup12.0.16.0.tmp

MD5 0acf3c16e6faca9c0aec525f53d03866
SHA1 5c3960b48d2b72ad02e59470d8a7b690ee826f9e
SHA256 2c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151
SHA512 17d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2

memory/4664-7-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-NHF2H.tmp\FileCenterUtils.exe

MD5 e9638374a27160513f1a62827b6cf102
SHA1 b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f
SHA256 c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942
SHA512 9632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c

memory/3672-12-0x00000000038A0000-0x00000000038A1000-memory.dmp

memory/3672-13-0x00000000007A0000-0x0000000001236000-memory.dmp

memory/4788-14-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4664-15-0x0000000000400000-0x000000000071A000-memory.dmp

memory/5056-17-0x00000000007A0000-0x0000000001236000-memory.dmp

memory/3188-20-0x00000000007A0000-0x0000000001236000-memory.dmp

memory/4736-22-0x00000000007A0000-0x0000000001236000-memory.dmp

memory/4664-33-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4664-32-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4664-101-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4664-355-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe

MD5 879d5b401a73cc57a3166ba01ce70c60
SHA1 ee8b47af48514a3b65f4ee838c95e7a3a64d3434
SHA256 82da544c9d730c17c34a253c29fd7d621e8cdc064e0220c27e43bb0dd60c4ebe
SHA512 6e49343acca8ab878b4cf9e12ce4d796decd7f44c7068f8d90f5ad2eebbab31c15c82bbf66bcb571120a9bf8e375055558308d00b66053591c6ec94fb514b3b6

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe

MD5 b9718823c993fccb6352cc0210993569
SHA1 4d551f7cafd0040ff9657ca644c1365f3e7847ae
SHA256 a173ba320929c93b9bf41186a0692d753da812b8691dcc416c16abdf004dbf89
SHA512 6e513ef7535539cff90e88b95c5f57bb9e262cebbf1e51bc8268595347fbf06f628cf16eaa974d7eccd2a285ff2f8f56867c4292c1fe4fb7b0ee90f5acee9747

C:\Program Files (x86)\FileCenter\Main\dten600.dll

MD5 22cf875a0cf0ad89f5f7d7ac6628a598
SHA1 c2a9620579a08d6a91557e6cb8f1d2585392d30d
SHA256 11ef1b8791cfd8fee0923ec685ae1d29485349ce7d2d37a15ae1615e8d646baf
SHA512 3b59898730a9eb4a8f4347b8c854983636b28f6641b072fdd0d7f9190b905fc9b03dcf204154072048dc1a6a24785d2aead865b5bf160c9af9df87cf4175c608

C:\Program Files (x86)\FileCenter\Main\lbvProt.dll

MD5 120387e48d0556538ef3ee68de18a707
SHA1 0633de57f7ef851115be39d407db8e08986b3d93
SHA256 e202172ad8799ee0feee2559ac06f2cf75530f702f7e11d0cb4c1b3ec57eae4e
SHA512 a7509c2822bd7f08b5e67dfbd3d9ac701639599b5681966f5276f51e60608dcd7dafaa953f7589d99de7ba7b68eaa56be0ecb2c074f5c4ba6ba114880507b1da

memory/4136-556-0x0000000000080000-0x0000000000088000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\VSTwain.dll

MD5 13f5f7e228ce2b8a3a41dbad4e451279
SHA1 1b3837572602b2620b75bf2ad2aeab89a64f5287
SHA256 11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292
SHA512 24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll

MD5 2b9bbd88d6b6a3b7c417cbb0eae69bf4
SHA1 c43ab9fa5c1085ba21280d143f8b8322d6a93883
SHA256 1e5f8dbd4c08faf3a0a84b6af17454d9d21459618b411696b9604af80ee9fc0f
SHA512 f07ae3e76066960a3b657146b83da724ca13873edd82d7314d048593c3e6021ced3297459d46a30daf95189631bfd4c941e44d91433549dcc70efb5407543a30

C:\Program Files (x86)\FileCenter\Main\secman.dll

MD5 085d87f49daf13496e0e018c4008fae6
SHA1 4b0c3058b8ace7e8242c941b449daa968f5b45c7
SHA256 d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15
SHA512 52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

memory/1384-559-0x0000000010000000-0x00000000101C8000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini

MD5 70da425f8aac14b1484047edb83e60e8
SHA1 69d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256 258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512 a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

memory/3576-567-0x0000000000390000-0x00000000003A2000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll

MD5 d9806fd0eeafd9f89e0473ad52889283
SHA1 d6fca558897aaa6703129557e2d02b1a84765dcb
SHA256 aa2aafe588aecd1a10bf05dcd675143061a55bcd5bc83bd749bde7b85d21dbc6
SHA512 796c609dc6fa4c6fe1e6909ae3a4a22cc06c900f34b999d77a9805767f69f1b1d96a99e9ee03ad6ab68e7f6bb5fa3269c1d73db4af68a2834bfd5cbf2fe91422

memory/3576-572-0x0000000007460000-0x000000000994A000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe

MD5 35b40b21383ac38487ceec8ab6e53565
SHA1 59894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256 caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA512 3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

C:\ProgramData\FileCenter\Config.ini

MD5 b2ad8f8dcc45644ea167317d050faac4
SHA1 215091d6ad9d4f210b85e675b17c60a7300ca9b1
SHA256 9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0
SHA512 528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

C:\Windows\Temp\{0727E68B-DDD0-4626-ADC7-D1F740BD2D8A}\.cr\vc_redist.x86.exe

MD5 86123c033231dd7e427d619ddeefd26a
SHA1 608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256 d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512 ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe

MD5 42d9ffbb0b7ef3cbdeb0c005619b12fb
SHA1 fbaed95c25aa26c43121e8421b5154e9e5dcdca0
SHA256 59e5b75c18c82acf2d94a1fd9b0a67af6795d594e1f837df1a80eec66671d307
SHA512 c77b91ca41b13bb471ced5346f998805430a33e210c09c0d7e0b0a7573d9e95da1bc5e351df08c871e1c3e962b3ec4b9fdb5ef5cc806fd87ef42f50ddd99d7cb

C:\Windows\Temp\{4C51FF7B-D418-4A7F-A55D-6A67E353E306}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{4C51FF7B-D418-4A7F-A55D-6A67E353E306}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/3576-665-0x00000000056F0000-0x0000000005C96000-memory.dmp

memory/1532-630-0x00000000009E0000-0x000000000119B000-memory.dmp

memory/3576-666-0x0000000005240000-0x00000000052D2000-memory.dmp

memory/2648-667-0x0000000000950000-0x00000000013E6000-memory.dmp

memory/3576-669-0x00000000055A0000-0x00000000055A8000-memory.dmp

memory/3576-670-0x0000000006140000-0x0000000006162000-memory.dmp

C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlb

MD5 76f44f45f04429fe796e911a8ef10f75
SHA1 ec666fb9af1d5ecef931e46548a5d2a24cdf0d6c
SHA256 1b717bfff1990c07e95c8cfe53cda81e2fe9289d873a2e3230466304d5f2732b
SHA512 8f3cb705bd478af7ba1bc4a055ae7afa42c3bf740e16e6f8315e7794d77557562a79af6d32600b9702550388402063fecdebc9c17d41330dfff84f918c126415

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe

MD5 4c61ee01d5b84db67c38c10d3f210f39
SHA1 844eab66505dc4eb88dec70c3f20307365c350ac
SHA256 a7e10bda5cb2e1c347b2ee682385fd56ff5da05c659c665abc0b526f639a5583
SHA512 a44a2bd871c9f0f654b0e627accc9d4388390e5e5b7326a3372a103886d74b89ab78e235e1b986da9acf0f08fdf45b642ec26000bbe32de92a44b1978f4c2f80

memory/4964-676-0x000001F5F0450000-0x000001F5F0460000-memory.dmp

C:\Windows\Temp\{165396C3-214E-4707-86BE-E7AC05A6C242}\.cr\PDFXLite10.exe

MD5 63ed90cdd501829a2319f8cf86c52bd2
SHA1 da198bec49015e98baa5b2cb91903f659e31dd37
SHA256 529bcd90e571d51a19396cb457bf7eebecf494613030389fa7c5b25b8e42757f
SHA512 d8cc05a5d481e17432125d21d58c2b32696c8b3e6632f911184292a0f0b24910e9dc5cc3ae2bdc6d87e478aef81504aa34520d3bd6813517e4b9347eee0eaa19

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.ba\wixstdba.dll

MD5 0ba387d66175c20452de372f8dbb79fe
SHA1 5411d41a7d88291b97fb9573eb6448c72e773b70
SHA256 7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33
SHA512 13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\.ba\logo.png

MD5 04967ef5107480ea36b3e2e97af7eb7a
SHA1 6efdd4484dcfcfd45b3c887c852f0abb1a02a645
SHA256 63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21
SHA512 00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

memory/4964-708-0x000001F5F5100000-0x000001F5F75EA000-memory.dmp

memory/4664-710-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4964-711-0x000001F5F2230000-0x000001F5F2238000-memory.dmp

memory/4964-712-0x000001F5F2270000-0x000001F5F2292000-memory.dmp

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\PkgLite64

MD5 e91e50fc80f7d84561db5823595e5b63
SHA1 b3e40b17a668586e86f346e9a7e3b8ef4838d437
SHA256 3203656dcafaf1ae128dae78bab26829bf0c2c9e1c255a8ca15ed176651d8948
SHA512 c9bb45c0882af7a2f5b6294fa2c29202ac529a6f1584e763a00c4812782f8274498a9c008ef0901dd67d895fd448e0eeb19a75cfe98bcd4c050c8856f97e5034

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab20F2A2993791BDD97B003B5578C7EAC7

MD5 951b5426340de231c90e0be2780cc66e
SHA1 fd6b966fd3270e53d8b1d660d69d4290b75b8a9d
SHA256 afac74f4b16fbefff34daec002a027abab8d45b6113ce1fde320cbf2b8eec68d
SHA512 038c0a171079502899366abf1101b173468a1a1997dafe94b6d217e26d5f6fec97e0d38fd4f7a70ef3d410dfdd18b7d93b3954776db3fc7ed9e91211492e0fb2

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab5DD1590118F3640F385DB3EB2F516E5C

MD5 b8b961c9899ec926b1dd8258b0232626
SHA1 8ed4a38e4a7c856a427a068ec51539f2e630f86c
SHA256 e9c26ae1625eb454e4cd78dd9ac145eeae94190f943b6fc72d250dc3acb703d7
SHA512 5dbcdbaf86bb25029838b93fa5787d9833b3ac2e6861b3df405b7957f1e5355395bcc664f4a550d9d79a7d3f7d98ca740527d5a86ecd0bfe0df3e768016f1877

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab8D36E281ACA51D7FBE9AB973BE9B36E3

MD5 0102ec8e3aa2b964f2d7719dd00de809
SHA1 9a008c6acc5c70c8467621bf4a8e78930e2843a3
SHA256 765cdd18ca4b9c8de8f16035ab46f740a9da9e628f24dbfe16800af41fa3122b
SHA512 ee4f280449bcceb357290c1970914524fcb30931b240591cee3f540fbfe365a81f5d6201eee9e18598163f9be392062ee8cfcdf16d289c4bc2effa6061e69c94

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab20036D21E40418DD3280D692958B9275

MD5 bed8b8bddf71f7b921c8efac0eb69518
SHA1 df2818992742ed4e80d28a94e1b0f43f280db455
SHA256 3cbfff994fa8a50b2d89e0dc906eefaf50ea16b07acb8ed4478fb2b116fcb8a5
SHA512 5699485985ea856d8ef3e97372e51c98eb81225c18ab5a851e1d8f574c0c9e77986563ad63e9b2118bd42edac0a39a46727306484be71af485955f9e818502d7

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab66549ACD4EE6139A64068CA8626575A9

MD5 bf193f70c4ba12e12a592df1cdb17b40
SHA1 e84a6d1cbcdc79926f7defef1ad4b7a8a651b5cb
SHA256 cee91939598abb3ec23ce0dc93c7690421efdca54795997558ef0fc617442a82
SHA512 23077213cb84b84096c93da33f3a23bda28bcda638ec3a9256f4ab064d8bf6f1e2860d32e6713716f35803db92fb30c4f07b0b2accccd914d7bcb75910b63d79

C:\Windows\Temp\{A9E16213-896B-4E9A-83C7-E4FB4068E6B8}\cab293E212B151FCAC5768C99D66AA8D9AE

MD5 f7bd3fbb5859bd43e830b621c8ade037
SHA1 71838fa41b8906bdcb9a64eec599dafd25d92c6f
SHA256 789ca746d45588380841494901a531abcf7a9a184f74af2cf049a77f489f4dc7
SHA512 53dbfde654e6bdaaab257fc3968a50ee7b8e4641bdc739c55ce1697e869ac513a7f2dc72ab92074b062928d56ab6f8083c5fa8a71a16a2f6918cc52f73b81250

C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txt

MD5 0e49fced3f998b2b6e2549c23474409e
SHA1 af9c37e746ffc4eaffcfa267397ebf957f25645f
SHA256 6de4e3a21fbf1fa73b88cb18df6441581db813b9c45f45ecb2da971157071952
SHA512 951df99a644de64c82bd03a3cefb19d137e2a743a82be7b77f6816913ab5429834a1e82736e9f59deba803d8222121102e689741abc12e2e6147560eb703d43d

C:\Windows\Installer\MSI53F7.tmp

MD5 5a36339a5bae618a2ef09d0adab0b602
SHA1 437d251abdcfe4f9379c44336ff5b920df7a0fbf
SHA256 2e1d52eec9169247f75b584f874617ea4702cf2fdf92a4306d84c354a0151674
SHA512 cff119e5b719c8578d199b946fc213074d89195d63bf6cf00dc2c255cc66695d0062da2e916a22d4df4c1bb1e195f69df21c463d144ad9442defe7b3033ead2a

memory/2552-810-0x0000000000950000-0x00000000013E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\prnInstaller.log

MD5 72e72caf6d47cc2b4c99c59a57cbd76a
SHA1 fd33163a3fd40791becb593053dbf99e24f79cda
SHA256 bca501c08494a2c4c83e6b37ce8c928b61bfd9d58f174fac141b2babbc6f7e33
SHA512 9ece33542e7579486ad80cae64a0eb5046806485e74ff69ffc6c97f8101b27f2002f5e8ea230e873bda560662e648cd0b2a20337d5ddc913d27deba2f4c0f61e

C:\Config.Msi\e585031.rbs

MD5 21da4d9c87f48fa47eca58790b1d0cf4
SHA1 00f46adb4812823d4660b620f8683d23c2750b46
SHA256 72c367be5d9839e40234c986c9930634cd7026c57a9df3aa35a4f6239b073564
SHA512 8a071817e28c5b99ff61640d08a130a246e3ace37329318d7ff594d9e2343c657e58939108b16568f0732047f187e2e2d2707e54fb5dc519436c5745b7d0eca1

memory/2552-963-0x0000000000950000-0x00000000013E6000-memory.dmp

memory/1908-964-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1220-972-0x0000000000950000-0x00000000013E6000-memory.dmp

C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll

MD5 2fbf69d014ae135d473ec8243d44be9e
SHA1 2c28d3b23d8ff061ae554ccd92aec93900e3cb2b
SHA256 6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3
SHA512 530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

memory/1380-1025-0x0000000000400000-0x000000000052C000-memory.dmp

memory/1908-1026-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4664-1027-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4664-1029-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4788-1030-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4480-1031-0x00000000020F0000-0x0000000002B29000-memory.dmp

C:\ProgramData\FileCenter\Settings\POLData_Lock.tmp

MD5 724deba0ee02aa7ad576295d784b1230
SHA1 f4f36556c9babc24a278f5f2ddcce4bff6a64bc7
SHA256 a98ebebe7123b54822d1250f6264dd8d971e47d5cc718fac967d2dd2374365ac
SHA512 3855cea9f71c3905baa510a42cf397da2b9f4f27cd071246e72911e646d6f5ba93fb120cb1a2f4d3e6a73d3d5ec40afc6dfbfb9e495e9bb9a2296930b1702239

C:\ProgramData\FileCenter\Config.ini

MD5 4a2b0b2d8d08db9fcc6eae2e25c9b4d1
SHA1 bcbd9242fe7ad0afabb143453d732657cfc79ede
SHA256 70bc9116d9db8cee6aaf87d19d323fc4961f90116b9a61281a981a461505974e
SHA512 5dc550410f15e4f64e637f61d8b6b09024b7502202ddd346463ac05b962d9bd6c3aecce6b85e089ca53184e99753cb2b137fae9ea26334d8044a0266742f6826

C:\ProgramData\FileCenter\MyPortal.ini

MD5 8af40c2a9db1af603163ed8b0e25a3d0
SHA1 36db1a9baec9e7d6d17073529afff9df063e68d9
SHA256 64b92b073e9519d07676100c694c63207f45b561ce66594b8728eae023ba0705
SHA512 2662a09e1cd148cbb4ee1124e4fdac6561699f447c986992651ff8fb8e7d005803b74ce5c1bb65c6f916ab1407894fabd453735c10378a94d5c918b1fe66688d

memory/4488-1131-0x0000000000950000-0x00000000013E6000-memory.dmp

memory/3228-1132-0x0000000002270000-0x0000000002CA9000-memory.dmp

C:\ProgramData\FileCenter\Logs\Hooks.txt

MD5 5d915d86de8f45dff3d86822bc200396
SHA1 f89c4a29c420a025e0f41926b6bb6fb55cfdb985
SHA256 edc2932a7cf28ed8bdf8fd110a1e684dbad8f245c71ce488458cec0484764a03
SHA512 8c9ffd78c2f87c14a344a5f11447d7ec7056c5253076f12dd7a1dff05f8e0a097c95953316603b065a88018880d4fb3982e7e70f80c2509f80133f8c72f97acb

memory/3228-1157-0x0000000002270000-0x0000000002CA9000-memory.dmp

memory/3228-1156-0x00000000004D0000-0x0000000001916000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6486ee9e961a437dadb68ff1544d18a8
SHA1 05f4daccca0bc1ce73fe71ad2325ba5dadd3df25
SHA256 9a98b4686c9e90672a548c873943b3027fb111f7992263111d912318429f5834
SHA512 ee3659f68a46f37f340f98b85a7aa289e700c5ced2a4f0104673bb5f18cc82d1e9b838ec0278407213c6ed2073998e7aad78a7a39390b7e460c8e26dfa91d0e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2dfecbb576ee9795c5284da8a2a3c7f5
SHA1 f1f0a6a97850aca2b4ab267a017564af02f24948
SHA256 dca6901942fa748fc01339192c0738a06847d8497c9c61298f1e5df1f8352fb0
SHA512 d664cc261113427810dd0b2d32763ddd08611a528fe6b285782d6b8ac03304b72a90fe7f3f7142e825ab8d948d5c9cf52f420546f3796b2ac23f3d00f3c17389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 25969c0fe6ef456c8cbddb9bfaae7036
SHA1 b2276dc446d857727c87c2fd20a029b8a5b89404
SHA256 f45697b889617f460c06609c8d43efbd601f4e4e1f0bd5242c33995a1a165db9
SHA512 d3bb8119c2148864fedff7d17739354398222c15d828f8f8ad5990e585198174db9ab48b1ec29a1af5fd98bded0d24928da1b01fd1459c33abd7078855d9b995

memory/4480-1183-0x00000000020F0000-0x0000000002B29000-memory.dmp

memory/4480-1182-0x0000000000010000-0x0000000001628000-memory.dmp

C:\ProgramData\FileCenter\Intercepts.ini

MD5 293bfe23c32bd1332e4caf09e9bb347d
SHA1 1777f80e58dcc9b37cf87d73a4680723c7b87461
SHA256 3f6dd37419d2c2075812e0a104d0603d78a5cf1b378154e8d71c30c37de84264
SHA512 0ec00fc8b45d2fa205be404a37546772919f891d439e336dd601c0961355dd9afdbae983c254a9760207ea15b7b446b7b9d90ad93f7b938aeb74e838204be194

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

memory/4644-1257-0x0000000001EA0000-0x00000000028D9000-memory.dmp

C:\ProgramData\FileCenter\MRUInbox.ini

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 29b63cb2254d2540058586a319391af1
SHA1 df5004084bb3e9bf4b83d26ef7a9b1e165297d3f
SHA256 54995573a9f3f2691dcce4e3e19bacaf4d4f8db30de4409ddb919175ec65c69b
SHA512 3155de2ba5f39ec82523759fba528016999bd879ab9121ceb9edc06032e47e3e082c1bdd2d5902360e4df4563818265605e17219c25449e319049c9e1547551a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2667add663368ba18337ac76cc55aee7
SHA1 f80a109266315132192bf68077690d6a00f98596
SHA256 93de9774842e21fbe51b4c69306c320ba6c1a29986a1a745ad2407e230b62082
SHA512 75ddd04d1756fc2c3e3ea3f2b4d21a6b6b36bb7fc32ca4e6484c1e9daf12e36e1cf173d3615bafd24ef78ac115d74325912de4b6fdc0ea53faa4386a557d66e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7ee9d1adfc453746995c91d7816ce842
SHA1 9b8d2cfb4282c6f66f696233e89bcdb4a3f60477
SHA256 41fadce59623a3cea15c50106ed3b6b381cd187af364926e761639c6644d3b72
SHA512 39cb81a0f3eeab411d9ef1b99f87b1e7e4e961646192ba2cd64f6be2f1fc380bb9a4f6ff563c29f2460189ba721a6fdd84215bdc364c815170179c6ca1c9e398

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 724b24a771bdf2efae1ed09f73b14edf
SHA1 1c74d239108a3ddabed04b8fece5f5d447e53a17
SHA256 60447a82634af5963fad5d4ac316490a11b33ee44bd68e0d291aa98485de6458
SHA512 3c70718526051f1ec8dda1c55bb5cf37aca4828b21cc9e1f666401c2ed633a09d18b1138005e3f32b989b75c83e236e794767af30d53455ecf8d9fcc140a424d

memory/4480-1405-0x00000000020F0000-0x0000000002B29000-memory.dmp

memory/4480-1404-0x0000000000010000-0x0000000001628000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 17:09

Reported

2024-06-17 17:12

Platform

win10-20240404-en

Max time kernel

60s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp
PID 4016 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp
PID 4016 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp
PID 1224 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe
PID 1224 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe
PID 1224 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe
PID 1224 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe
PID 1224 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe
PID 1224 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe

"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$601A8,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtilsInfo.ini"

C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe

"C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtilsInfo.ini"

Network

N/A

Files

memory/4016-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4016-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8TQBQ.tmp\FileCenterSetup12.0.16.0.tmp

MD5 0acf3c16e6faca9c0aec525f53d03866
SHA1 5c3960b48d2b72ad02e59470d8a7b690ee826f9e
SHA256 2c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151
SHA512 17d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2

memory/1224-6-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UOLP0.tmp\FileCenterUtils.exe

MD5 e9638374a27160513f1a62827b6cf102
SHA1 b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f
SHA256 c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942
SHA512 9632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c

memory/4572-12-0x0000000001120000-0x0000000001BB6000-memory.dmp

memory/4016-13-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1224-14-0x0000000000400000-0x000000000071A000-memory.dmp

memory/3612-22-0x0000000001120000-0x0000000001BB6000-memory.dmp

memory/1224-24-0x0000000000400000-0x000000000071A000-memory.dmp

memory/1224-26-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4016-28-0x0000000000400000-0x00000000004D8000-memory.dmp