df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9

Resubmissions

25-06-2024 14:19

240625-rm6bxsvdkb 6

21-06-2024 15:11

240621-sknjrsygjm 6

17-06-2024 17:09

240617-vn6wmawhlb 10

14-06-2024 13:23

240614-qmxjcawdmm 10

Analysis

max time kernel
170s
max time network
168s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-06-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FileCenterSetup12.0.16.0.exe
Size

300.4MB
MD5

123556b83a3dad2f59e76602768e9536
SHA1

b402ded286fff73aaf9b32f075bc32029da6d461
SHA256

df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9
SHA512

bc8dc366b404756a55ab40b66bbcccc8d8b366b0f34938c14324d994118602f0be876eaa61234c18eef7ae4e797789da8dd996f023f0f67c0e053e8022dd3506
SSDEEP

6291456:f7u0oceu41pUlsFqvFyeGCIOo7qgB5Fapf5NN9nAug:T9r4vXi5IOyJmfAx

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FileCenterSetup12.0.16.0.tmpPDFXLite10.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe"	FileCenterSetup12.0.16.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe"	FileCenterSetup12.0.16.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{3780ab31-c524-4f3b-a4db-79d692700a62} = "\"C:\\ProgramData\\Package Cache\\{3780ab31-c524-4f3b-a4db-79d692700a62}\\PDFXLite10.exe\" /burn.runonce"	PDFXLite10.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

3 1752 msiexec.exe
5 1752 msiexec.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

MsiExec.exe

description ioc process

File opened for modification C:\Users\Public\Desktop\desktop.ini MsiExec.exe

flow	pid	process
3	1752	msiexec.exe
5	1752	msiexec.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 9 IoCs

Processes:

PrnInstaller.exeprninstaller.exe

description	ioc	process
File created	C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml	PrnInstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL	prninstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL	prninstaller.exe
File created	C:\Windows\system32\pxcpmL.dll	PrnInstaller.exe
File opened for modification	C:\Windows\system32\pxcpmL.dll	PrnInstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll	PrnInstaller.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll	PrnInstaller.exe
File created	C:\Windows\system32\pxc50pm.dll	prninstaller.exe
File opened for modification	C:\Windows\system32\pxc50pm.dll	prninstaller.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpmsiexec.exePDFX5SA_sm.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\FileCenter\Main\Dlltwain.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-9L5DU.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-694L3.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-AP3M1.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-K26GJ.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Tracker Software\PDF-XChange Lite\dinfo.dsf	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsasian315.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-1LCMN.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.pt-BR.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.lt-LT.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.it-IT.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\PXC50uif.dll	PDFX5SA_sm.tmp
File created	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Win32\is-O1DAL.tmp	PDFX5SA_sm.tmp
File created	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\is-DSAAK.tmp	PDFX5SA_sm.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrspdf15.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterAdmin.exe	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-P79CN.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-62G09.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-DT2BV.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.da-DK.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.zh-TW.xcl	msiexec.exe
File created	C:\Program Files\Tracker Software\PDF-XChange Lite\DrvUIL.x64.dll	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Main\is-5DTK6.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Tips\is-QUNU8.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-V0O31.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-AHB9G.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-H9A62.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-NGT23.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-M4AQH.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-04DFP.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Help\is-JIGN4.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.ko-KR.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Drivers\is-A0NNU.tmp	PDFX5SA_sm.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterIndexer.exe	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-0L0NS.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-LH8QS.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-STH0C.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\pxcdrv.xml	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\EZT4Symbol.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-K7B9E.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-LNC00.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-UVTI0.tmp	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\EZT4Tiff.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineRI.exe	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-0CQD8.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-DMGFD.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Tracker Software\PDF-XChange Lite\Help\PDFX10ManLiteSm.pdf	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsjbig215.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-3IQU7.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.sw-KE.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-EDH4N.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.fi-FI.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.tr-TR.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.hu-HU.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineGD.exe	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\ISYSpdf6.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-LK9IT.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-CHDTT.tmp	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\win32\PXC50pm.dll	PDFX5SA_sm.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-UV7AS.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-IOR4O.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-4S7UP.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.zh-CN.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.fi-FI.xcl	msiexec.exe

Drops file in Windows directory 23 IoCs

Processes:

msiexec.exePDFXLite10.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f77372a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4379.tmp	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	PDFXLite10.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3C9D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3CAD.tmp	msiexec.exe
File created	C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco	msiexec.exe
File created	C:\Windows\Installer\f77372c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C0D.tmp	msiexec.exe
File created	C:\Windows\Installer\f77372a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42FA.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f773727.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C5C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f773727.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3CBE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 31 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeGdPictureComReg.exevc_redist.x86.exeFileCenterAutomateService.exevc_redist.x86.exeFileCenterUtils.exePDFXLite10.exePDFXLite10.exePDFXLite10.exePrnInstaller.exepdfSaverL.exepdfSaverL.exeFileCenterUtils.exePDFX5SA_sm.exePDFX5SA_sm.tmpprninstaller.exepdfSaver5.exeXCVault.exeFileCenter.exepdfSaverL.exepdfSaverL.exeFileCenterUtils.exeFileCenterAgent.exeFileCenterAgent.exeFileCenterInjector32.exe

pid	process
2972	FileCenterSetup12.0.16.0.tmp
2636	FileCenterUtils.exe
3068	FileCenterUtils.exe
2460	FileCenterUtils.exe
1544	FileCenterUtils.exe
112	FileCenterUtils.exe
1620	GdPictureComReg.exe
1428	vc_redist.x86.exe
2112	FileCenterAutomateService.exe
1216	vc_redist.x86.exe
1248	FileCenterUtils.exe
3016	PDFXLite10.exe
2000	PDFXLite10.exe
2168	PDFXLite10.exe
2912	PrnInstaller.exe
1100
1912	pdfSaverL.exe
3036	pdfSaverL.exe
1960	FileCenterUtils.exe
596	PDFX5SA_sm.exe
2276	PDFX5SA_sm.tmp
1864	prninstaller.exe
2608	pdfSaver5.exe
592	XCVault.exe
600	FileCenter.exe
2152	pdfSaverL.exe
2124	pdfSaverL.exe
3028	FileCenterUtils.exe
308	FileCenterAgent.exe
2232	FileCenterAgent.exe
1656	FileCenterInjector32.exe

Loads dropped DLL 64 IoCs

Processes:

FileCenterSetup12.0.16.0.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregasm.exevc_redist.x86.exevc_redist.x86.exeFileCenterUtils.exePDFXLite10.exePDFXLite10.exeMsiExec.exemsiexec.exeMsiExec.exeFileCenterUtils.exePDFX5SA_sm.exePDFX5SA_sm.tmp

pid	process
2872	FileCenterSetup12.0.16.0.exe
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
112	FileCenterUtils.exe
2240	regsvr32.exe
592	regsvr32.exe
1464	regsvr32.exe
1604	regsvr32.exe
2828	regsvr32.exe
1668	regsvr32.exe
2240	regsvr32.exe
1284	regasm.exe
1284	regasm.exe
112	FileCenterUtils.exe
112	FileCenterUtils.exe
1428	vc_redist.x86.exe
1216	vc_redist.x86.exe
1284	regasm.exe
1284	regasm.exe
1248	FileCenterUtils.exe
3016	PDFXLite10.exe
2000	PDFXLite10.exe
2000	PDFXLite10.exe
268	MsiExec.exe
268	MsiExec.exe
268	MsiExec.exe
268	MsiExec.exe
268	MsiExec.exe
268	MsiExec.exe
268	MsiExec.exe
1752	msiexec.exe
2704	MsiExec.exe
1100
1100
1100
1100
1100
1100
1100
1100
2704	MsiExec.exe
268	MsiExec.exe
1248	FileCenterUtils.exe
1248	FileCenterUtils.exe
1960	FileCenterUtils.exe
596	PDFX5SA_sm.exe
2276	PDFX5SA_sm.tmp
2276	PDFX5SA_sm.tmp
2276	PDFX5SA_sm.tmp
2276	PDFX5SA_sm.tmp
1100
1100
1100
1100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 27 IoCs

evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exe

pid	process
2308	TASKKILL.exe
1728	TASKKILL.exe
2580	TASKKILL.exe
268	TASKKILL.exe
2232	TASKKILL.exe
2148	TASKKILL.exe
948	TASKKILL.exe
600	TASKKILL.exe
1556	TASKKILL.exe
2444	TASKKILL.exe
2904	TASKKILL.exe
2464	TASKKILL.exe
2220	TASKKILL.exe
3012	TASKKILL.exe
2864	TASKKILL.exe
1836	TASKKILL.exe
2892	TASKKILL.exe
2392	TASKKILL.exe
2428	TASKKILL.exe
2816	TASKKILL.exe
1076	TASKKILL.exe
1608	TASKKILL.exe
2208	TASKKILL.exe
1572	TASKKILL.exe
1324	TASKKILL.exe
2020	TASKKILL.exe
2460	TASKKILL.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exemsiexec.exePDFX5SA_sm.tmpIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}	PDFX5SA_sm.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{82D9E0B1-2FE2-11EF-9680-DA96D1126947} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\"	PDFX5SA_sm.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3"	PDFX5SA_sm.tmp
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e0cc59efc3da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bd18e5f884de44a860c31ce68eba50f00000000020000000000106600000001000020000000c5bb36ab4e5b46ecc293c23d038798c6da618f07a03d10412a93defb8f3ea22b000000000e800000000200002000000051e3f91cce0118a52749516104bbdeba9143a0caf4bd01e6305226545814e5a420000000024688c0dac948d1657701b70caa3b05caf907f9e3ba8223d66afa3592d88b79400000004bb7e556cfb6474f296df0268b8f73d6f0e95d365463524ac616e9fbcfa1eddf8d5c2882b6b9f1647154cd527ef7079d7a5a8bfe713e5cf0bf62a97e1e5a62db	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe"	PDFX5SA_sm.tmp
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bd18e5f884de44a860c31ce68eba50f0000000002000000000010660000000100002000000090036b7d698d351a04fdd4dc4aa41eeac7289ad32abd788fdb14eae9dc050fab000000000e800000000200002000000033690ccc53d7007756b54f82f35a1477875c8929083e568bf270dfacb874f38c90000000736eaa8a84d674d0304896cb565e534c75ec23c906d0d7b1fc8f0059fa260615c0261562200ed5c8633b5faed534bbe006ae9b60ce2843ca37aa438d732cffa07f4ddd96b1fd165664256b530801f399bbe233fc3db6a8d690c80258c0778d5fa6f11cf6dfd2e5e6ab49ceed804cbc09297fecb91cbef4a39c906016f821e0b6b3becc08f374165896dbe4c9ddd69aba40000000fc7087c4014dcfc7721bd57170687ddaee668660f047ab94d8b844cfad299e60e7c9e5e2310f15a1c55ed10802a7615d4cd85c9a4c185fd653ecd3dda78567a3	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregasm.exeregasm.exeregsvr32.exepdfSaver5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{211AAF91-E97A-454C-9669-EDAEC904E16D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\InprocServer32\Class = "GdPicture14.GdPictureOCR+SpreadsheetOptions"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5037219D-F496-3D35-8258-B9B561BF622B}\TypeLib\Version = "e.2"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8C2F816-B4B2-311D-BAA8-EF842F78E378}\ = "_AnnotationRectangleHighlighter"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72D158D4-EAF7-4894-A5FA-719C705800EB}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AFC06F6-7848-37B5-8044-97A2EBECF8BB}\MiscStatus\ = "131473"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE4EB426-7321-3D5B-A255-694F9D887551}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32\ThreadingModel = "Both"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF67F023-1C25-481D-8EE2-D522FC578CC5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B430FB9-7FBB-4645-94BC-76E917FFCE42}\ = "IPXV_AttachSelection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{73075CBA-0FA9-4A85-9922-EE773B6C9FDC}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F279E381-71DB-39C4-9419-EF92C8FC045D}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C47EDD9-60A8-3CE6-B254-40B8B31C854F}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{32396BA9-AE47-3B2B-93E0-A968D7D41BF3}\ = "_ViewerMouseDownEventHandler"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C6D67878-15E2-4488-9981-2182B0652E8E}\ProgID\ = "dtengine.IndexCache.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{999A6C12-A602-4601-9866-0B9AE973B7F2}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CB4C389-2562-4339-BD98-EBB158192D61}\TypeLib\Version = "e.2"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{426B5317-D5C9-411D-A518-E026C137E3F0}\TypeLib\Version = "e.2"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49237A9D-448A-484D-9036-73E1E6C36628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5893B58-701E-4110-9871-1DA14CF9C1DC}\e.2\FLAGS	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{107507E4-8258-4E89-9167-CADCD46059BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4512B1B5-4B43-3918-8EFB-7C83CEA6B90E}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0A8E6A2C-43A6-48FE-953C-4668DC9F0352}\1.0\ = "PDF-XChange Printer 2012 Type Library"	pdfSaver5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A36038D-FA98-43A7-8DF0-5A9916167753}\ = "IPXV_CommentsView"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{71974BB4-B316-3AED-94EA-A56531C19665}\14.2.69.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63375FB3-4F89-42F0-8090-209E954EBA1A}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91F594C1-7C1A-465D-BC9C-004E2FD7C6C4}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0BCE7AC-1387-4C70-9184-912EB94AE3ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6554EA2D-9436-4F25-8B11-A4CB7C2608DB}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F114962-0BD3-46E4-9128-B8AE21D8BA5D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4862F192-136A-4700-9F1D-0B6164A36B99}\ = "IGdPicturePDF"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\ProgId\ = "GdPicture14.ThumbnailEx"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFE955F3-4ADE-4C79-B40A-8DD1955A328F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17AA9FC1-A869-38F0-A7FF-A720437AD51D}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C15E43AE-9519-3E72-81E6-6D527D4E2BD3}\14.2.69.0\Class = "GdPicture14.ViewerZoomMode"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD74E532-D113-3F50-A247-49926E0C6476}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{419BF6AA-AA35-3FBC-B01B-554F71547437}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D513F74-9FC7-4179-A268-92E62D4F03A7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9DCA6E8-8C23-4765-8305-C58DEF3E27E0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A79755A3-8507-48EE-A616-611BB01CF94B}\TypeLib\Version = "e.2"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F5231AB-AF92-4184-A361-5A3307A3464E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8B148BBD-F357-4166-A073-16B44503B6AC}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B55EFD3A-7639-45F0-A33E-12971B7DAAB7}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EAC43C65-FF9C-360C-99E2-51908F1A60FC}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{164FD132-B662-3C32-8443-A7B8CAD07EB2}\TypeLib\Version = "e.2"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B2AE5F-BFDE-426A-A8C5-A7489C64F0C0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53674462-76AA-41A3-A5A3-5241912E4222}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{092DCFE6-4B0E-4392-A71A-137E9F5DBF17}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B2AE5F-BFDE-426A-A8C5-A7489C64F0C0}\ = "IOperation"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3875CE8-36F6-3C53-8790-00366D3EA1FB}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{50B4C2D7-BD1F-3AA0-B81F-8C1054BC813E}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{209EE7F1-1F4F-49EE-9F26-01D7118E48D1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CBD34A5D-CCD7-47B5-B8D4-121D40FA0934}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1FB2340C-1E2A-3B9C-A78E-28C55F46EC7C}\14.2.69.0\Class = "GdPicture14.PdfDocumentMergingOptions"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB2B171B-0765-3453-975D-05DDFAC1DACA}\TypeLib\Version = "e.2"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C0F85EB-00C8-33F4-8407-D77C223841B9}\ = "_ItemClickedEventHandler"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6E200759-C46D-3822-A83A-11C96FC94477}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{879706ED-6E59-32EA-9C05-FDC9D5CFB7D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{879706ED-6E59-32EA-9C05-FDC9D5CFB7D4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

FileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeregsvr32.exeFileCenterAutomateService.exeFileCenterUtils.exemsiexec.exeMsiExec.exeFileCenterUtils.exePDFX5SA_sm.tmpFileCenter.exeFileCenterUtils.exeFileCenterAgent.exeFileCenterAgent.exeFileCenterInjector32.exe

pid	process
2636	FileCenterUtils.exe
2636	FileCenterUtils.exe
3068	FileCenterUtils.exe
3068	FileCenterUtils.exe
2460	FileCenterUtils.exe
2460	FileCenterUtils.exe
2972	FileCenterSetup12.0.16.0.tmp
2972	FileCenterSetup12.0.16.0.tmp
1544	FileCenterUtils.exe
1544	FileCenterUtils.exe
112	FileCenterUtils.exe
112	FileCenterUtils.exe
2240	regsvr32.exe
2240	regsvr32.exe
2112	FileCenterAutomateService.exe
2112	FileCenterAutomateService.exe
1248	FileCenterUtils.exe
1248	FileCenterUtils.exe
1752	msiexec.exe
1752	msiexec.exe
268	MsiExec.exe
268	MsiExec.exe
1960	FileCenterUtils.exe
1960	FileCenterUtils.exe
2276	PDFX5SA_sm.tmp
2276	PDFX5SA_sm.tmp
600	FileCenter.exe
600	FileCenter.exe
3028	FileCenterUtils.exe
3028	FileCenterUtils.exe
308	FileCenterAgent.exe
308	FileCenterAgent.exe
2232	FileCenterAgent.exe
2232	FileCenterAgent.exe
1656	FileCenterInjector32.exe
1656	FileCenterInjector32.exe
600	FileCenter.exe
600	FileCenter.exe
600	FileCenter.exe
600	FileCenter.exe
600	FileCenter.exe
600	FileCenter.exe

Suspicious behavior: SetClipboardViewer 6 IoCs

Processes:

FileCenter.exeFileCenterAgent.exe

pid process

600 FileCenter.exe
600 FileCenter.exe
600 FileCenter.exe
600 FileCenter.exe
308 FileCenterAgent.exe
308 FileCenterAgent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2444	TASKKILL.exe
Token: SeDebugPrivilege	2580	TASKKILL.exe
Token: SeDebugPrivilege	2428	TASKKILL.exe
Token: SeDebugPrivilege	2464	TASKKILL.exe
Token: SeDebugPrivilege	2816	TASKKILL.exe
Token: SeDebugPrivilege	3012	TASKKILL.exe
Token: SeDebugPrivilege	2864	TASKKILL.exe
Token: SeDebugPrivilege	948	TASKKILL.exe
Token: SeDebugPrivilege	600	TASKKILL.exe
Token: SeDebugPrivilege	268	TASKKILL.exe
Token: SeDebugPrivilege	1324	TASKKILL.exe
Token: SeDebugPrivilege	1608	TASKKILL.exe
Token: SeDebugPrivilege	1076	TASKKILL.exe
Token: SeDebugPrivilege	2208	TASKKILL.exe
Token: SeBackupPrivilege	2192	vssvc.exe
Token: SeRestorePrivilege	2192	vssvc.exe
Token: SeAuditPrivilege	2192	vssvc.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeLoadDriverPrivilege	3024	DrvInst.exe
Token: SeLoadDriverPrivilege	3024	DrvInst.exe
Token: SeLoadDriverPrivilege	3024	DrvInst.exe
Token: SeShutdownPrivilege	2168	PDFXLite10.exe
Token: SeIncreaseQuotaPrivilege	2168	PDFXLite10.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeSecurityPrivilege	1752	msiexec.exe
Token: SeCreateTokenPrivilege	2168	PDFXLite10.exe
Token: SeAssignPrimaryTokenPrivilege	2168	PDFXLite10.exe
Token: SeLockMemoryPrivilege	2168	PDFXLite10.exe
Token: SeIncreaseQuotaPrivilege	2168	PDFXLite10.exe
Token: SeMachineAccountPrivilege	2168	PDFXLite10.exe
Token: SeTcbPrivilege	2168	PDFXLite10.exe
Token: SeSecurityPrivilege	2168	PDFXLite10.exe
Token: SeTakeOwnershipPrivilege	2168	PDFXLite10.exe
Token: SeLoadDriverPrivilege	2168	PDFXLite10.exe
Token: SeSystemProfilePrivilege	2168	PDFXLite10.exe
Token: SeSystemtimePrivilege	2168	PDFXLite10.exe
Token: SeProfSingleProcessPrivilege	2168	PDFXLite10.exe
Token: SeIncBasePriorityPrivilege	2168	PDFXLite10.exe
Token: SeCreatePagefilePrivilege	2168	PDFXLite10.exe
Token: SeCreatePermanentPrivilege	2168	PDFXLite10.exe
Token: SeBackupPrivilege	2168	PDFXLite10.exe
Token: SeRestorePrivilege	2168	PDFXLite10.exe
Token: SeShutdownPrivilege	2168	PDFXLite10.exe
Token: SeDebugPrivilege	2168	PDFXLite10.exe
Token: SeAuditPrivilege	2168	PDFXLite10.exe
Token: SeSystemEnvironmentPrivilege	2168	PDFXLite10.exe
Token: SeChangeNotifyPrivilege	2168	PDFXLite10.exe
Token: SeRemoteShutdownPrivilege	2168	PDFXLite10.exe
Token: SeUndockPrivilege	2168	PDFXLite10.exe
Token: SeSyncAgentPrivilege	2168	PDFXLite10.exe
Token: SeEnableDelegationPrivilege	2168	PDFXLite10.exe
Token: SeManageVolumePrivilege	2168	PDFXLite10.exe
Token: SeImpersonatePrivilege	2168	PDFXLite10.exe
Token: SeCreateGlobalPrivilege	2168	PDFXLite10.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpPDFX5SA_sm.tmpFileCenterAgent.exeiexplore.exe

pid process

2972 FileCenterSetup12.0.16.0.tmp
2276 PDFX5SA_sm.tmp
2276 PDFX5SA_sm.tmp
308 FileCenterAgent.exe
2712 iexplore.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

FileCenterAgent.exe

pid process

308 FileCenterAgent.exe

pid	process
308	FileCenterAgent.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

FileCenter.exeFileCenterAgent.exeiexplore.exeIEXPLORE.EXEFileCenterAgent.exe

pid	process
600	FileCenter.exe
600	FileCenter.exe
600	FileCenter.exe
308	FileCenterAgent.exe
2712	iexplore.exe
2712	iexplore.exe
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
2232	FileCenterAgent.exe
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FileCenterSetup12.0.16.0.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exe

description	pid	process	target process
PID 2872 wrote to memory of 2972	2872	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2872 wrote to memory of 2972	2872	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2872 wrote to memory of 2972	2872	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2872 wrote to memory of 2972	2872	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2872 wrote to memory of 2972	2872	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2872 wrote to memory of 2972	2872	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2872 wrote to memory of 2972	2872	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2972 wrote to memory of 2636	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 2636	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 2636	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 2636	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 3068	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 3068	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 3068	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 3068	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 2460	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 2460	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 2460	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 2460	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2460 wrote to memory of 2428	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2428	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2428	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2428	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2444	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2444	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2444	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2444	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2464	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2464	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2464	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2464	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2580	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2580	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2580	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2580	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2816	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2816	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2816	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2816	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2864	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2864	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2864	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 2864	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 3012	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 3012	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 3012	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2460 wrote to memory of 3012	2460	FileCenterUtils.exe	TASKKILL.exe
PID 2972 wrote to memory of 1544	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 1544	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 1544	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2972 wrote to memory of 1544	2972	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 1544 wrote to memory of 268	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 268	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 268	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 268	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 600	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 600	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 600	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 600	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 1076	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 1076	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 1076	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 1076	1544	FileCenterUtils.exe	TASKKILL.exe
PID 1544 wrote to memory of 948	1544	FileCenterUtils.exe	TASKKILL.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\is-ALDUF.tmp\FileCenterSetup12.0.16.0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ALDUF.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$400F8,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtilsInfo.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2636

C:\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtilsInfo.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtils.exe" -CLOSEALL
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterPortal.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReceipts.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReports.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtils.exe" -INSTBEG
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterPortal.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReceipts.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReports.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:112

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2828

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe
"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent
4⤵
- Executes dropped EXE
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb
5⤵
- Loads dropped DLL
- Modifies registry class
PID:1284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb
5⤵
- Modifies registry class
PID:2504

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:592

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"
4⤵
- Loads dropped DLL
PID:1604

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"
4⤵
- Loads dropped DLL
PID:1464

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"
4⤵
- Loads dropped DLL
PID:1668

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2240

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe
"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428

C:\Windows\Temp\{F7B8032F-120A-48F7-86B7-F2F85E1ED1E0}\.cr\vc_redist.x86.exe
"C:\Windows\Temp\{F7B8032F-120A-48F7-86B7-F2F85E1ED1E0}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016

C:\Windows\Temp\{A74A5462-189D-480B-920E-AB04081F5FE2}\.cr\PDFXLite10.exe
"C:\Windows\Temp\{A74A5462-189D-480B-920E-AB04081F5FE2}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000

C:\Windows\Temp\{693C9D01-5A93-4FB7-B90C-3916D01A8397}\.be\PDFXLite10.exe
"C:\Windows\Temp\{693C9D01-5A93-4FB7-B90C-3916D01A8397}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{18C06755-63CA-48A9-A4D6-12D4023A83A8} {5199C2FB-1E3E-4618-B361-042DA0B70CC3} 2000
6⤵
- Adds Run key to start application
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"
4⤵
- Executes dropped EXE
PID:3036

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"
4⤵
- Executes dropped EXE
PID:1912

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596

C:\Users\Admin\AppData\Local\Temp\is-0V1CP.tmp\PDFX5SA_sm.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0V1CP.tmp\PDFX5SA_sm.tmp" /SL5="$300D0,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"
5⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2276

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "
6⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:1864

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer
6⤵
- Executes dropped EXE
- Modifies registry class
PID:2608

C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe
"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install
6⤵
- Executes dropped EXE
PID:592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "000000000000059C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 89A5DC51A720C4B7CF49714EB6F329A1
2⤵
- Drops desktop.ini file(s)
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:268

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 86C7E9FC29AD32D4819CB2B183B12ED7 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:2704

C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"
2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:2912

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:600

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"
2⤵
- Executes dropped EXE
PID:2152

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1836

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2020

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2232

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2220

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -OLOFF
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
2⤵
- Kills process with taskkill
PID:1556

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
2⤵
- Kills process with taskkill
PID:2460

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:308

C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe" 600
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.filecenter.com/action.php?Action=Welcome&Refresh=1&ProductKey=&KeyID=-1&PTID=1&SourceID=-1&CustomID=-1&VerID=-1&PartnerID=0&WelcomeID=0&Version=12.0.16.0&CN=BISMIZHX&UN=Admin&Trial=0&DaysLeft=0&s=&cnt1=&cnt2=&cnt3=&cnt4=&cnt5=&cnt6=&cnt7=&cnt8=&cnt9=&x=1235
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2712

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2308

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1728

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2892

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2392

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1572

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2148

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
2⤵
- Kills process with taskkill
PID:2904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77372b.rbs
Filesize
34KB

MD5
538eb3f93fba806ef8d7e066cbe39b63

SHA1
06e2a54e6b06f9812b99f1a704a0fb72fa3dbcb1

SHA256
859f6817194de756b9f890b976966b4ac54053643348a58a5c62d7720c71335a

SHA512
dad9579abb2ececd25083ac9f319298f58e4517effcc32b169ba2225cb6198081707a828a4a7233c16451c6278f7cac02815073a7ac4eb7bb8c5a8a86e578dda

Download Submit
C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll
Filesize
593KB

MD5
2fbf69d014ae135d473ec8243d44be9e

SHA1
2c28d3b23d8ff061ae554ccd92aec93900e3cb2b

SHA256
6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3

SHA512
530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

Download Submit
C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\unins000.exe
Filesize
1.1MB

MD5
fa3f6d3bed7348ac3f45fde9e4ded1e4

SHA1
fdbf41b865e6a697142e8a2beb975ee728c41585

SHA256
3dbf88889ad9e347ac3fe93ec6f5d3771eff1fc2de39f8d7b3df9263a76b651e

SHA512
ed3d9fde7060b138b838ecc47969e601872b6a9541a39e24fbe7b56e1a68e414a93d9de187331d4dbf02430d4165c36ae2b167457e8ee90c59796ba7da972524

Download Submit
C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe
Filesize
40.5MB

MD5
4c61ee01d5b84db67c38c10d3f210f39

SHA1
844eab66505dc4eb88dec70c3f20307365c350ac

SHA256
a7e10bda5cb2e1c347b2ee682385fd56ff5da05c659c665abc0b526f639a5583

SHA512
a44a2bd871c9f0f654b0e627accc9d4388390e5e5b7326a3372a103886d74b89ab78e235e1b986da9acf0f08fdf45b642ec26000bbe32de92a44b1978f4c2f80

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini
Filesize
27B

MD5
70da425f8aac14b1484047edb83e60e8

SHA1
69d09199af5a5ba4ed4e1d59432fec784d5271e4

SHA256
258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f

SHA512
a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe
Filesize
7.7MB

MD5
42d9ffbb0b7ef3cbdeb0c005619b12fb

SHA1
fbaed95c25aa26c43121e8421b5154e9e5dcdca0

SHA256
59e5b75c18c82acf2d94a1fd9b0a67af6795d594e1f837df1a80eec66671d307

SHA512
c77b91ca41b13bb471ced5346f998805430a33e210c09c0d7e0b0a7573d9e95da1bc5e351df08c871e1c3e962b3ec4b9fdb5ef5cc806fd87ef42f50ddd99d7cb

Download Submit
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll
Filesize
36.9MB

MD5
d9806fd0eeafd9f89e0473ad52889283

SHA1
d6fca558897aaa6703129557e2d02b1a84765dcb

SHA256
aa2aafe588aecd1a10bf05dcd675143061a55bcd5bc83bd749bde7b85d21dbc6

SHA512
796c609dc6fa4c6fe1e6909ae3a4a22cc06c900f34b999d77a9805767f69f1b1d96a99e9ee03ad6ab68e7f6bb5fa3269c1d73db4af68a2834bfd5cbf2fe91422

Download Submit
C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe
Filesize
21KB

MD5
b9718823c993fccb6352cc0210993569

SHA1
4d551f7cafd0040ff9657ca644c1365f3e7847ae

SHA256
a173ba320929c93b9bf41186a0692d753da812b8691dcc416c16abdf004dbf89

SHA512
6e513ef7535539cff90e88b95c5f57bb9e262cebbf1e51bc8268595347fbf06f628cf16eaa974d7eccd2a285ff2f8f56867c4292c1fe4fb7b0ee90f5acee9747

Download Submit
C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe
Filesize
13.6MB

MD5
35b40b21383ac38487ceec8ab6e53565

SHA1
59894bd9c96361b475c3b4b7ca9719c72e813d04

SHA256
caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec

SHA512
3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

Download Submit
C:\ProgramData\FileCenter\ColumnStatesCab.ini
Filesize
260B

MD5
9481fa75e40fd7d6236b4680a546a110

SHA1
7c5260ab9d1c9dbf77f9a10708de8d484a7d731f

SHA256
115fc9747d7294635c8ca982169e3cf7fe25932ae2f1fa1ff8fb502ab9de3404

SHA512
7bae892db74ef424fe8cf7e98013a98a00313d00188f7919fb39ec9553a380a98159e289a4f153b204cf176a563a568a938678a1ad985b85d3c5fee06f4ebb91

Download Submit
C:\ProgramData\FileCenter\ColumnStatesCab.ini
Filesize
916B

MD5
71a194b9d4ceb795f7d5306e36f72420

SHA1
e36dcd697224dffe1993c3207f4a5d1786a66a21

SHA256
233191406a7259278487b59e59ed1efaf3310a5407c3b4f922bdb4493d2d39cd

SHA512
678f538a241cb88d70effb4fefc320788d1d0e55d196418e8bb24b2fbd6f5db12012d90d1455617edc36d672f51636987aeefd88dc441d9f755248f1d10e3319

Download Submit
C:\ProgramData\FileCenter\ColumnStatesCab.ini
Filesize
5KB

MD5
3c78191be09b4a0cbad92cfeb1218759

SHA1
26ac00f02d2e39cba573e908adab29332fdf2d74

SHA256
e089ca10bb421f8d22fcd5a547fa2f491235c009ee27e0b4542d692a16d2c232

SHA512
ee6f21932a0d63854d6cd1bc2c8abb60463060ceb62aecf1133f51a3b1198ae520d64363f819402060c768611b62b48f9eb9e1baeeefc4e653b257b086316443

Download Submit
C:\ProgramData\FileCenter\Config.ini
Filesize
42B

MD5
4a2b0b2d8d08db9fcc6eae2e25c9b4d1

SHA1
bcbd9242fe7ad0afabb143453d732657cfc79ede

SHA256
70bc9116d9db8cee6aaf87d19d323fc4961f90116b9a61281a981a461505974e

SHA512
5dc550410f15e4f64e637f61d8b6b09024b7502202ddd346463ac05b962d9bd6c3aecce6b85e089ca53184e99753cb2b137fae9ea26334d8044a0266742f6826

Download Submit
C:\ProgramData\FileCenter\Config.ini
Filesize
23B

MD5
b2ad8f8dcc45644ea167317d050faac4

SHA1
215091d6ad9d4f210b85e675b17c60a7300ca9b1

SHA256
9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0

SHA512
528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

Download Submit
C:\ProgramData\FileCenter\Intercepts.ini
Filesize
6KB

MD5
293bfe23c32bd1332e4caf09e9bb347d

SHA1
1777f80e58dcc9b37cf87d73a4680723c7b87461

SHA256
3f6dd37419d2c2075812e0a104d0603d78a5cf1b378154e8d71c30c37de84264

SHA512
0ec00fc8b45d2fa205be404a37546772919f891d439e336dd601c0961355dd9afdbae983c254a9760207ea15b7b446b7b9d90ad93f7b938aeb74e838204be194

Download Submit
C:\ProgramData\FileCenter\MRUIMGEditor.ini
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\ProgramData\FileCenter\MyPortal.ini
Filesize
26B

MD5
8af40c2a9db1af603163ed8b0e25a3d0

SHA1
36db1a9baec9e7d6d17073529afff9df063e68d9

SHA256
64b92b073e9519d07676100c694c63207f45b561ce66594b8728eae023ba0705

SHA512
2662a09e1cd148cbb4ee1124e4fdac6561699f447c986992651ff8fb8e7d005803b74ce5c1bb65c6f916ab1407894fabd453735c10378a94d5c918b1fe66688d

Download Submit
C:\ProgramData\FileCenter\Settings\HUBData_Lock.tmp
Filesize
14B

MD5
724deba0ee02aa7ad576295d784b1230

SHA1
f4f36556c9babc24a278f5f2ddcce4bff6a64bc7

SHA256
a98ebebe7123b54822d1250f6264dd8d971e47d5cc718fac967d2dd2374365ac

SHA512
3855cea9f71c3905baa510a42cf397da2b9f4f27cd071246e72911e646d6f5ba93fb120cb1a2f4d3e6a73d3d5ec40afc6dfbfb9e495e9bb9a2296930b1702239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5209f2634a1532da7ec17bfc54e7981e

SHA1
637bdd8300be614331f494a867b2972385d8bdc0

SHA256
245b02ac50bd71dc79b1579327c01cb52ef485a18c5f835fd752335a9bf201a2

SHA512
74e6f09c20ab888927e99f53504e354255abea060a5adc72b45d010b153ebd6d17efcbb86d043d6ec6ac4d7bd30ffe91544ec4c6987fc180aec24ed0afaad90b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a3dc0a976c07ff4a2d067f454ba4c029

SHA1
b008f72e8d810d79de82ca6db9111bdb08e60f37

SHA256
8afadcc12b036da91c4f24174d8bed55bde19e2655f7c2f6a307ca1300e1b313

SHA512
fa0f3e3240e91f1848c6afef685b27aaca88229ae7788bcccae45d9eb173a5aefd892ef39a93cb0fbf86702ebb97cc5ed65d6fe45a0322953b5c5f55407cf629

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
01db72c5cb4a4c9d0f889cc9aff6ff8f

SHA1
b40913bce6c7383df200b5bee4b114368eaffe78

SHA256
9816b982e00af8f92be476cf46727c41e477f77cf8b668da9ef7513a9d10ee10

SHA512
8441b4d1681ad099ed2ddcdbd2f90100645d9c33131261fcf2b7ba58006d8db024380773e5325e02660355f238f72e8f520d7152397856dd850373697ef1c45a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
623a53604aa5f0704b6e263ba2572dc5

SHA1
3f6a8c52802b1d477403e0d44a65882cfd84ddd2

SHA256
e7c24711fe99a86205f996bc3c72ea8b531f3c876ff6a911cd16b1c31bf4a272

SHA512
1237ff3c79e8485956e197f1403f2e3976a68e38c3d481ea5699dd03b8a018c40cd5497223c72f9039b94837f22acc35827a6d5eb665aa861d8003599660ca92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d848363de8f6d6a07cc0bc1dd0aa962d

SHA1
b8909034d27b751f74d7a133cd01ce5207e5af7d

SHA256
1c3d177d85a28089a98bf5770edd65b2883c53b5c5d055a167f2282e5e9257c7

SHA512
e9826eb1824d40177756a4e0247b2c503c9ea867f3793a888f844574695d8d9b16234cea2f3a9b841db62ec33cd4a5b22752820ebfa80d9890d7662553c855a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4f81336e48c4fba9a1d0d7aa866a65c0

SHA1
22e70f13952e15ccb8704afee7b009fa86bca68c

SHA256
6b01095926287ca3b6c72ffc2e240b67f027c92d396d0210be9ade7a6334749f

SHA512
8780807f8c5b1d80299d97bc007cef44ab35c101cea4a1d5084e49b2d00f9c68a9fa11465ecf480337e25acf5fb408556715f4ee002b3041c378ef98ae0547ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6a24ef284931f6d2f7b53abda9465929

SHA1
5a8db3817cbe77c68828c7d525b0fcc83328479e

SHA256
9a4ee4af78a6d5c2cbd156451e53c86c2816b2b2cc7c509996a6f6b3acb05717

SHA512
4501058869836ebe9c85fe6b9b2e4d6c7fe97c292c8367d38e0e533c3d735e14c005a9e7fca6b18e56e8e651c7cf6c347322ad8715e801bab5e62769b8954aa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4371ba9e2dcf29fd9e25f5d997ff9a73

SHA1
3663f34aa25218414ae4ab293df2c301d7dbfe84

SHA256
5eaefe4db3b10b1f650f1ab3b2db736b86a1f8266456f9941cd0b3bf8758832e

SHA512
2b1c0b5a603d5d0c8b12c7cb97a17bead4f4949350fceac502c7177e4b65eba35acd107581c9dcfb8f6d9a23d9dc4d2e29e79c76489b5be61aff0d9b133f2ba6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d89918ff90f05cee8180a9be4adc177c

SHA1
b4e7eb3f34533615fdfca70a5c7b3558acab3e42

SHA256
ac9566aeb2ddc70a393028bc370eaee662502b4bb81acafaa5038698c79fde0b

SHA512
7f1a9151b25530a4ee13b008b15d7de1985c30ed86ff8751ff312bfa3e3056f1a98127ef0ce72c0cb2d6d3830487e01a7b9bafec6135fbc96f4967ae1ad510f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab37B5.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar390F.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3A5F.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\prnInstaller.log
Filesize
396B

MD5
84ba1acd39fc52eb3159386e13d5861a

SHA1
2f053d9f7f3aa4257d0164fa18fbeef8083ab72a

SHA256
98e2e2747f52d7bcc4d1175dda6cb16cd7e8e07139e0c7788061b3c078cc85c0

SHA512
4e62247f8966400beffd7c061656eb4d5c7b84d916802a5c3f7ffdb1766770279addf6f029ca850ec084520b4ee7dd4a8fc2963c085cbe291c09bbc3e2d975ab

Download Submit
C:\Windows\Installer\MSI3C6D.tmp
Filesize
1.3MB

MD5
5a36339a5bae618a2ef09d0adab0b602

SHA1
437d251abdcfe4f9379c44336ff5b920df7a0fbf

SHA256
2e1d52eec9169247f75b584f874617ea4702cf2fdf92a4306d84c354a0151674

SHA512
cff119e5b719c8578d199b946fc213074d89195d63bf6cf00dc2c255cc66695d0062da2e916a22d4df4c1bb1e195f69df21c463d144ad9442defe7b3033ead2a

Download Submit
C:\Windows\Installer\f773727.msi
Filesize
2.6MB

MD5
e91e50fc80f7d84561db5823595e5b63

SHA1
b3e40b17a668586e86f346e9a7e3b8ef4838d437

SHA256
3203656dcafaf1ae128dae78bab26829bf0c2c9e1c255a8ca15ed176651d8948

SHA512
c9bb45c0882af7a2f5b6294fa2c29202ac529a6f1584e763a00c4812782f8274498a9c008ef0901dd67d895fd448e0eeb19a75cfe98bcd4c050c8856f97e5034

Download Submit
C:\Windows\Temp\{693C9D01-5A93-4FB7-B90C-3916D01A8397}\.ba\logo.png
Filesize
5KB

MD5
04967ef5107480ea36b3e2e97af7eb7a

SHA1
6efdd4484dcfcfd45b3c887c852f0abb1a02a645

SHA256
63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21

SHA512
00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

Download Submit
C:\Windows\Temp\{96DD5E03-841B-484D-ACEC-E8694ED3005A}\.ba\logo.png
Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{F7B8032F-120A-48F7-86B7-F2F85E1ED1E0}\.cr\vc_redist.x86.exe
Filesize
632KB

MD5
86123c033231dd7e427d619ddeefd26a

SHA1
608c085348fd9c4e124e6f28f0388ccdac6ab2b5

SHA256
d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737

SHA512
ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenter.exe
Filesize
20.1MB

MD5
879d5b401a73cc57a3166ba01ce70c60

SHA1
ee8b47af48514a3b65f4ee838c95e7a3a64d3434

SHA256
82da544c9d730c17c34a253c29fd7d621e8cdc064e0220c27e43bb0dd60c4ebe

SHA512
6e49343acca8ab878b4cf9e12ce4d796decd7f44c7068f8d90f5ad2eebbab31c15c82bbf66bcb571120a9bf8e375055558308d00b66053591c6ec94fb514b3b6

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll
Filesize
13.0MB

MD5
2b9bbd88d6b6a3b7c417cbb0eae69bf4

SHA1
c43ab9fa5c1085ba21280d143f8b8322d6a93883

SHA256
1e5f8dbd4c08faf3a0a84b6af17454d9d21459618b411696b9604af80ee9fc0f

SHA512
f07ae3e76066960a3b657146b83da724ca13873edd82d7314d048593c3e6021ced3297459d46a30daf95189631bfd4c941e44d91433549dcc70efb5407543a30

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterAdmin.exe
Filesize
15.2MB

MD5
30a169811bbb56f80ad2ef63bafd48bf

SHA1
61006f10a4ec28c8dcc2f19485306a349e65d82c

SHA256
5e6a19aa1448fdf5861b3a663d81e149582c65022d31020cad58e71943d850b9

SHA512
149df30e330b61345562bf5f6cdd313b73df3386cccfe0d56c178daa5172c10b120bb3bc9a6ce9de935772466c76af03cba9c399f1b60bec0470ec2ba9ffc9e5

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterAutomate.exe
Filesize
15.1MB

MD5
b54c915c76810bd4ae1cacf3f60d3fcf

SHA1
348c04cd0057b2e12c64ae8911533ef9046a786b

SHA256
1d98350a7cd23ca173b6405ce46fe002f8ca340cd7362a1dd90927508ae37459

SHA512
dd8199c6edfe413d332c5925d75aea74ae96d8ff1efa323e57ca69c23065904b2db715b6af413bcca9f99b33280dacee24c695bf9cf61bb9dfae38112e9534ee

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterPortal.exe
Filesize
19.4MB

MD5
b117c8ab833f3fd2e645588b76e0350d

SHA1
542f9f159f61c53b6bddf3c12ee599f841894032

SHA256
fc84fcca5174673afc19102cc1ece6927f340a5b787602ae7c8487dd48af0183

SHA512
d662b913d390ff27cbecde257f6a3b873d8727df9d83fef57cce51be744e9748b18471b24af23adee36772ac5df7605a411b158c5e0aae276a55a4cff3117ef1

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterScan.exe
Filesize
18.4MB

MD5
48c0dc674559c958633f98b057ebcf26

SHA1
07af2ae436c357cf1ba508f0825654100cb56c07

SHA256
7dcbb120bff0e4eb3e1964c56de1d528810a64b28e224fe9f3bc1d65e15cb896

SHA512
7ecadbfa6ac7fdcdd274cee98329c614f3c387aaff658b163349ec4a42f782a8dcf7c1528ba0cfea362bf9b43c80f3e6aaf34f414767da51d3b2c3b425aafa00

Download Submit
\Program Files (x86)\FileCenter\Main\VSTwain.dll
Filesize
573KB

MD5
13f5f7e228ce2b8a3a41dbad4e451279

SHA1
1b3837572602b2620b75bf2ad2aeab89a64f5287

SHA256
11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292

SHA512
24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

Download Submit
\Program Files (x86)\FileCenter\Main\dten600.dll
Filesize
7.7MB

MD5
22cf875a0cf0ad89f5f7d7ac6628a598

SHA1
c2a9620579a08d6a91557e6cb8f1d2585392d30d

SHA256
11ef1b8791cfd8fee0923ec685ae1d29485349ce7d2d37a15ae1615e8d646baf

SHA512
3b59898730a9eb4a8f4347b8c854983636b28f6641b072fdd0d7f9190b905fc9b03dcf204154072048dc1a6a24785d2aead865b5bf160c9af9df87cf4175c608

Download Submit
\Program Files (x86)\FileCenter\Main\lbvProt.dll
Filesize
532KB

MD5
120387e48d0556538ef3ee68de18a707

SHA1
0633de57f7ef851115be39d407db8e08986b3d93

SHA256
e202172ad8799ee0feee2559ac06f2cf75530f702f7e11d0cb4c1b3ec57eae4e

SHA512
a7509c2822bd7f08b5e67dfbd3d9ac701639599b5681966f5276f51e60608dcd7dafaa953f7589d99de7ba7b68eaa56be0ecb2c074f5c4ba6ba114880507b1da

Download Submit
\Program Files (x86)\FileCenter\Main\secman.dll
Filesize
146KB

MD5
085d87f49daf13496e0e018c4008fae6

SHA1
4b0c3058b8ace7e8242c941b449daa968f5b45c7

SHA256
d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15

SHA512
52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

Download Submit
\Users\Admin\AppData\Local\Temp\is-ALDUF.tmp\FileCenterSetup12.0.16.0.tmp
Filesize
3.0MB

MD5
0acf3c16e6faca9c0aec525f53d03866

SHA1
5c3960b48d2b72ad02e59470d8a7b690ee826f9e

SHA256
2c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151

SHA512
17d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2

Download Submit
\Users\Admin\AppData\Local\Temp\is-PK3UA.tmp\FileCenterUtils.exe
Filesize
8.7MB

MD5
e9638374a27160513f1a62827b6cf102

SHA1
b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f

SHA256
c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942

SHA512
9632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c

Download Submit
\Windows\Temp\{96DD5E03-841B-484D-ACEC-E8694ED3005A}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\Windows\Temp\{A74A5462-189D-480B-920E-AB04081F5FE2}\.cr\PDFXLite10.exe
Filesize
1.4MB

MD5
63ed90cdd501829a2319f8cf86c52bd2

SHA1
da198bec49015e98baa5b2cb91903f659e31dd37

SHA256
529bcd90e571d51a19396cb457bf7eebecf494613030389fa7c5b25b8e42757f

SHA512
d8cc05a5d481e17432125d21d58c2b32696c8b3e6632f911184292a0f0b24910e9dc5cc3ae2bdc6d87e478aef81504aa34520d3bd6813517e4b9347eee0eaa19

Download Submit
memory/112-630-0x0000000000310000-0x0000000000DA6000-memory.dmp

Filesize
10.6MB

Download
memory/308-1224-0x0000000002540000-0x0000000002F79000-memory.dmp

Filesize
10.2MB

Download
memory/308-1583-0x0000000002540000-0x0000000002F79000-memory.dmp

Filesize
10.2MB

Download
memory/308-1582-0x00000000010F0000-0x0000000002536000-memory.dmp

Filesize
20.3MB

Download
memory/308-2339-0x00000000010F0000-0x0000000002536000-memory.dmp

Filesize
20.3MB

Download
memory/596-1049-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/596-1113-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/600-1542-0x00000000002F0000-0x0000000001908000-memory.dmp

Filesize
22.1MB

Download
memory/600-1562-0x0000000071490000-0x0000000071495000-memory.dmp

Filesize
20KB

Download
memory/600-1564-0x0000000071440000-0x0000000071442000-memory.dmp

Filesize
8KB

Download
memory/600-1565-0x0000000071460000-0x0000000071461000-memory.dmp

Filesize
4KB

Download
memory/600-1566-0x0000000071450000-0x0000000071455000-memory.dmp

Filesize
20KB

Download
memory/600-1561-0x0000000071480000-0x0000000071482000-memory.dmp

Filesize
8KB

Download
memory/600-2230-0x000000006F420000-0x000000006F5C2000-memory.dmp

Filesize
1.6MB

Download
memory/600-1543-0x0000000001AB0000-0x00000000024E9000-memory.dmp

Filesize
10.2MB

Download
memory/600-1563-0x0000000071460000-0x0000000071461000-memory.dmp

Filesize
4KB

Download
memory/600-1556-0x00000000714A0000-0x00000000714A1000-memory.dmp

Filesize
4KB

Download
memory/600-1119-0x0000000001AB0000-0x00000000024E9000-memory.dmp

Filesize
10.2MB

Download
memory/600-2229-0x0000000001AB0000-0x00000000024E9000-memory.dmp

Filesize
10.2MB

Download
memory/600-1558-0x00000000714A0000-0x00000000714A1000-memory.dmp

Filesize
4KB

Download
memory/600-1568-0x0000000071420000-0x0000000071425000-memory.dmp

Filesize
20KB

Download
memory/600-1567-0x0000000071410000-0x0000000071412000-memory.dmp

Filesize
8KB

Download
memory/600-2228-0x00000000002F0000-0x0000000001908000-memory.dmp

Filesize
22.1MB

Download
memory/1248-724-0x0000000000D60000-0x00000000017F6000-memory.dmp

Filesize
10.6MB

Download
memory/1248-1048-0x0000000000D60000-0x00000000017F6000-memory.dmp

Filesize
10.6MB

Download
memory/1284-715-0x0000000007850000-0x0000000007858000-memory.dmp

Filesize
32KB

Download
memory/1284-686-0x0000000005230000-0x000000000771A000-memory.dmp

Filesize
36.9MB

Download
memory/1284-640-0x0000000005230000-0x000000000771A000-memory.dmp

Filesize
36.9MB

Download
memory/1284-582-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/1464-578-0x0000000010000000-0x00000000101C8000-memory.dmp

Filesize
1.8MB

Download
memory/1544-28-0x00000000012B0000-0x0000000001D46000-memory.dmp

Filesize
10.6MB

Download
memory/1620-574-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/1656-1570-0x0000000001070000-0x0000000001368000-memory.dmp

Filesize
3.0MB

Download
memory/1960-1058-0x0000000000FD0000-0x0000000001A66000-memory.dmp

Filesize
10.6MB

Download
memory/2112-639-0x0000000000F60000-0x000000000171B000-memory.dmp

Filesize
7.7MB

Download
memory/2232-1553-0x0000000002540000-0x0000000002F79000-memory.dmp

Filesize
10.2MB

Download
memory/2232-1552-0x00000000010F0000-0x0000000002536000-memory.dmp

Filesize
20.3MB

Download
memory/2276-1112-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2460-25-0x0000000001160000-0x0000000001BF6000-memory.dmp

Filesize
10.6MB

Download
memory/2504-721-0x000000001C0F0000-0x000000001E5DA000-memory.dmp

Filesize
36.9MB

Download
memory/2504-722-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/2504-720-0x000000001C0F0000-0x000000001E5DA000-memory.dmp

Filesize
36.9MB

Download
memory/2504-719-0x000000013F620000-0x000000013F630000-memory.dmp

Filesize
64KB

Download
memory/2636-16-0x0000000000EA0000-0x0000000001936000-memory.dmp

Filesize
10.6MB

Download
memory/2872-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2872-2-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2872-1118-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2872-20-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2972-21-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2972-1117-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2972-8-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2972-1115-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2972-49-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2972-118-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2972-346-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2972-577-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3028-1222-0x0000000000FD0000-0x0000000001A66000-memory.dmp

Filesize
10.6MB

Download
memory/3068-19-0x0000000001030000-0x0000000001AC6000-memory.dmp

Filesize
10.6MB

Download