Resubmissions
25-06-2024 14:19
240625-rm6bxsvdkb 621-06-2024 15:11
240621-sknjrsygjm 617-06-2024 17:09
240617-vn6wmawhlb 1014-06-2024 13:23
240614-qmxjcawdmm 10Analysis
-
max time kernel
172s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
21-06-2024 15:11
General
-
Target
FileCenterSetup12.0.16.0.exe
-
Size
300.4MB
-
MD5
123556b83a3dad2f59e76602768e9536
-
SHA1
b402ded286fff73aaf9b32f075bc32029da6d461
-
SHA256
df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9
-
SHA512
bc8dc366b404756a55ab40b66bbcccc8d8b366b0f34938c14324d994118602f0be876eaa61234c18eef7ae4e797789da8dd996f023f0f67c0e053e8022dd3506
-
SSDEEP
6291456:f7u0oceu41pUlsFqvFyeGCIOo7qgB5Fapf5NN9nAug:T9r4vXi5IOyJmfAx
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 9 IoCs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 20 IoCs
-
Executes dropped EXE 30 IoCs
-
Loads dropped DLL 34 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 27 IoCs
-
Modifies Internet Explorer settings 1 TTPs 8 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious behavior: SetClipboardViewer 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 32 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-RS5VH.tmp\FileCenterSetup12.0.16.0.tmp"C:\Users\Admin\AppData\Local\Temp\is-RS5VH.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$B004E,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtilsInfo.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtilsInfo.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe" -CLOSEALL3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterPortal.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReceipts.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReports.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe" -INSTBEG3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterPortal.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReceipts.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReports.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb5⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb5⤵
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"4⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{F3B228E9-267B-451A-97F8-84626EF487CF}\.cr\vc_redist.x86.exe"C:\Windows\Temp\{F3B228E9-267B-451A-97F8-84626EF487CF}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=656 -burn.filehandle.self=684 /install /quiet /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"4⤵
- Executes dropped EXE
-
C:\Windows\Temp\{BD1B01B0-89EF-47A3-82A5-AD94243ED846}\.cr\PDFXLite10.exe"C:\Windows\Temp\{BD1B01B0-89EF-47A3-82A5-AD94243ED846}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\.be\PDFXLite10.exe"C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{3089B57C-9094-44BA-BA10-3614CF53ECA8} {4BB312B7-88F9-4A14-B253-802C48B2D910} 44646⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"4⤵
- Executes dropped EXE
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HQGH8.tmp\PDFX5SA_sm.tmp"C:\Users\Admin\AppData\Local\Temp\is-HQGH8.tmp\PDFX5SA_sm.tmp" /SL5="$40306,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"5⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "6⤵
- Drops file in System32 directory
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install6⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 3A006377990EC9937D1C961010FD2B2F2⤵
- Drops desktop.ini file(s)
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding F232A69EE1107F9D300AD5D8C5758EDD E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"2⤵
- Drops file in System32 directory
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"2⤵
- Executes dropped EXE
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -OLOFF2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterAgent.exe2⤵
- Kills process with taskkill
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.filecenter.com/action.php?Action=Welcome&Refresh=1&ProductKey=&KeyID=-1&PTID=1&SourceID=-1&CustomID=-1&VerID=-1&PartnerID=0&WelcomeID=0&Version=12.0.16.0&CN=TMUACBLB&UN=Admin&Trial=0&DaysLeft=0&s=&cnt1=&cnt2=&cnt3=&cnt4=&cnt5=&cnt6=&cnt7=&cnt8=&cnt9=&x=12352⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe741c46f8,0x7ffe741c4708,0x7ffe741c47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5280 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe2⤵
- Kills process with taskkill
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x304 0x2f41⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5897d9.rbsFilesize
35KB
MD5bfab6019b14f541b0e31c1d43e5dfb92
SHA11d12773c2393b6fe12c4fbb3427465d02220a542
SHA2566c8724445ab56d87dac4c2fc2dc1ba75ba668d80fcb17cd9ef95c82872d66ced
SHA5128fb569ba6b2769bb891720d49cf31014cae4514b7dd8ca6ed53f9712b1078b8ea28ae8f69295a96d56c8c8b7a62279ac80c0ce3c95d9a33a7c22ca1d9c2ddae9
-
C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dllFilesize
593KB
MD52fbf69d014ae135d473ec8243d44be9e
SHA12c28d3b23d8ff061ae554ccd92aec93900e3cb2b
SHA2566f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3
SHA512530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654
-
C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exeFilesize
40.5MB
MD54c61ee01d5b84db67c38c10d3f210f39
SHA1844eab66505dc4eb88dec70c3f20307365c350ac
SHA256a7e10bda5cb2e1c347b2ee682385fd56ff5da05c659c665abc0b526f639a5583
SHA512a44a2bd871c9f0f654b0e627accc9d4388390e5e5b7326a3372a103886d74b89ab78e235e1b986da9acf0f08fdf45b642ec26000bbe32de92a44b1978f4c2f80
-
C:\Program Files (x86)\FileCenter\Main\FileCenter.exeFilesize
20.1MB
MD5879d5b401a73cc57a3166ba01ce70c60
SHA1ee8b47af48514a3b65f4ee838c95e7a3a64d3434
SHA25682da544c9d730c17c34a253c29fd7d621e8cdc064e0220c27e43bb0dd60c4ebe
SHA5126e49343acca8ab878b4cf9e12ce4d796decd7f44c7068f8d90f5ad2eebbab31c15c82bbf66bcb571120a9bf8e375055558308d00b66053591c6ec94fb514b3b6
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dllFilesize
13.0MB
MD52b9bbd88d6b6a3b7c417cbb0eae69bf4
SHA1c43ab9fa5c1085ba21280d143f8b8322d6a93883
SHA2561e5f8dbd4c08faf3a0a84b6af17454d9d21459618b411696b9604af80ee9fc0f
SHA512f07ae3e76066960a3b657146b83da724ca13873edd82d7314d048593c3e6021ced3297459d46a30daf95189631bfd4c941e44d91433549dcc70efb5407543a30
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.iniFilesize
27B
MD570da425f8aac14b1484047edb83e60e8
SHA169d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exeFilesize
7.7MB
MD542d9ffbb0b7ef3cbdeb0c005619b12fb
SHA1fbaed95c25aa26c43121e8421b5154e9e5dcdca0
SHA25659e5b75c18c82acf2d94a1fd9b0a67af6795d594e1f837df1a80eec66671d307
SHA512c77b91ca41b13bb471ced5346f998805430a33e210c09c0d7e0b0a7573d9e95da1bc5e351df08c871e1c3e962b3ec4b9fdb5ef5cc806fd87ef42f50ddd99d7cb
-
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dllFilesize
36.9MB
MD5d9806fd0eeafd9f89e0473ad52889283
SHA1d6fca558897aaa6703129557e2d02b1a84765dcb
SHA256aa2aafe588aecd1a10bf05dcd675143061a55bcd5bc83bd749bde7b85d21dbc6
SHA512796c609dc6fa4c6fe1e6909ae3a4a22cc06c900f34b999d77a9805767f69f1b1d96a99e9ee03ad6ab68e7f6bb5fa3269c1d73db4af68a2834bfd5cbf2fe91422
-
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlbFilesize
356KB
MD5235af799cc5b5f0a846387765b004455
SHA17f766bc88ddca173a9118c2af7e8c04d03e9ffed
SHA256bf1342653bad546aeda012fff620fa8455145fefd81eb9d1d9bb5d0c970d5864
SHA512586192941caf51fcda886f859bbea0c02d0659857bf36d0a011a6207e5fd4d0cf877f8098003d66438e01d1684aef542dd96dcad637a698827e966b1103ec1b7
-
C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exeFilesize
21KB
MD5b9718823c993fccb6352cc0210993569
SHA14d551f7cafd0040ff9657ca644c1365f3e7847ae
SHA256a173ba320929c93b9bf41186a0692d753da812b8691dcc416c16abdf004dbf89
SHA5126e513ef7535539cff90e88b95c5f57bb9e262cebbf1e51bc8268595347fbf06f628cf16eaa974d7eccd2a285ff2f8f56867c4292c1fe4fb7b0ee90f5acee9747
-
C:\Program Files (x86)\FileCenter\Main\VSTwain.dllFilesize
573KB
MD513f5f7e228ce2b8a3a41dbad4e451279
SHA11b3837572602b2620b75bf2ad2aeab89a64f5287
SHA25611b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292
SHA51224ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d
-
C:\Program Files (x86)\FileCenter\Main\dten600.dllFilesize
7.7MB
MD522cf875a0cf0ad89f5f7d7ac6628a598
SHA1c2a9620579a08d6a91557e6cb8f1d2585392d30d
SHA25611ef1b8791cfd8fee0923ec685ae1d29485349ce7d2d37a15ae1615e8d646baf
SHA5123b59898730a9eb4a8f4347b8c854983636b28f6641b072fdd0d7f9190b905fc9b03dcf204154072048dc1a6a24785d2aead865b5bf160c9af9df87cf4175c608
-
C:\Program Files (x86)\FileCenter\Main\lbvProt.dllFilesize
532KB
MD5120387e48d0556538ef3ee68de18a707
SHA10633de57f7ef851115be39d407db8e08986b3d93
SHA256e202172ad8799ee0feee2559ac06f2cf75530f702f7e11d0cb4c1b3ec57eae4e
SHA512a7509c2822bd7f08b5e67dfbd3d9ac701639599b5681966f5276f51e60608dcd7dafaa953f7589d99de7ba7b68eaa56be0ecb2c074f5c4ba6ba114880507b1da
-
C:\Program Files (x86)\FileCenter\Main\secman.dllFilesize
146KB
MD5085d87f49daf13496e0e018c4008fae6
SHA14b0c3058b8ace7e8242c941b449daa968f5b45c7
SHA256d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15
SHA51252886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b
-
C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exeFilesize
13.6MB
MD535b40b21383ac38487ceec8ab6e53565
SHA159894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA5123a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e
-
C:\ProgramData\FileCenter\ColumnStatesCab.iniFilesize
2KB
MD5c085fbcff41848caba96006fe269ee66
SHA17699c00b4007d7411f273c14520bde6287839ac2
SHA256430e377c78f8ae5bd5f088e83d31178b53306270457144c8ad56a5643cd9edbc
SHA512c6e71cc4dd3c2c4d01906c61bc4c4fc0061e90690448f51b18e3d80efc664e59d541f7dc5f6bfc9952ff522555dd31cca06325643ea060d46a93c83a3ff34e8b
-
C:\ProgramData\FileCenter\ColumnStatesCab.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\FileCenter\Config.iniFilesize
42B
MD54a2b0b2d8d08db9fcc6eae2e25c9b4d1
SHA1bcbd9242fe7ad0afabb143453d732657cfc79ede
SHA25670bc9116d9db8cee6aaf87d19d323fc4961f90116b9a61281a981a461505974e
SHA5125dc550410f15e4f64e637f61d8b6b09024b7502202ddd346463ac05b962d9bd6c3aecce6b85e089ca53184e99753cb2b137fae9ea26334d8044a0266742f6826
-
C:\ProgramData\FileCenter\Config.iniFilesize
23B
MD5b2ad8f8dcc45644ea167317d050faac4
SHA1215091d6ad9d4f210b85e675b17c60a7300ca9b1
SHA2569aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0
SHA512528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4
-
C:\ProgramData\FileCenter\Intercepts.iniFilesize
6KB
MD5293bfe23c32bd1332e4caf09e9bb347d
SHA11777f80e58dcc9b37cf87d73a4680723c7b87461
SHA2563f6dd37419d2c2075812e0a104d0603d78a5cf1b378154e8d71c30c37de84264
SHA5120ec00fc8b45d2fa205be404a37546772919f891d439e336dd601c0961355dd9afdbae983c254a9760207ea15b7b446b7b9d90ad93f7b938aeb74e838204be194
-
C:\ProgramData\FileCenter\Logs\Hooks_Last.txtFilesize
998B
MD534d2701eb65edf48a974a92eb049513c
SHA13303a25b98043e964c7ddd2c70e2b4f7b425fc71
SHA256e668a308bc06355ed17a9f4e65673885addebba5ae22151e53ba9e6ca83c2165
SHA51243fd0110519fdd7d2794dd9398eb4bc4f72e59291e7e4ea19cc4a44a6fbd2f86ec602b3bed6c7ed35b75c5323654c1d09893cbb2c52eae69fadb8dbdc95a9683
-
C:\ProgramData\FileCenter\MRUPDFEditor.iniFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\ProgramData\FileCenter\MyPortal.iniFilesize
26B
MD58af40c2a9db1af603163ed8b0e25a3d0
SHA136db1a9baec9e7d6d17073529afff9df063e68d9
SHA25664b92b073e9519d07676100c694c63207f45b561ce66594b8728eae023ba0705
SHA5122662a09e1cd148cbb4ee1124e4fdac6561699f447c986992651ff8fb8e7d005803b74ce5c1bb65c6f916ab1407894fabd453735c10378a94d5c918b1fe66688d
-
C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txtFilesize
1KB
MD538c429561d5cf71f788735fc7d5ce1ee
SHA11d2101ab10694fa4fe89386e62315d66fcaa19ce
SHA256957588b4273c972016fe6a5c513b0697b5964b4f6acfabd43481a8d5211ccd6d
SHA512dcaca6eda0d2c44d0ad68c4bc0da0a47e998ea889379c839af4c38c36495f8111f81ff8e4c7114e826d73a584b84d3101845d1a06534b00a5b598d7c06f3bf3d
-
C:\ProgramData\FileCenter\Settings\HUBData_Lock.tmpFilesize
14B
MD5724deba0ee02aa7ad576295d784b1230
SHA1f4f36556c9babc24a278f5f2ddcce4bff6a64bc7
SHA256a98ebebe7123b54822d1250f6264dd8d971e47d5cc718fac967d2dd2374365ac
SHA5123855cea9f71c3905baa510a42cf397da2b9f4f27cd071246e72911e646d6f5ba93fb120cb1a2f4d3e6a73d3d5ec40afc6dfbfb9e495e9bb9a2296930b1702239
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
528B
MD5b13ebbaa916caeb947b5cfe647254aba
SHA19f14797bac9241a5c8b8c5de95b970f268a6a51e
SHA25668b37a30bb89b2b165ffe3da6b8c4d5b24a88db76d93c2d7068b05d663d64352
SHA512af1ec682dfc366ffa13330de3206cbffaf9749a16179804e85fe0660c2a1ecf68590870cb0ce304ff8fb05b4cf2f039d196ed6e9893acac9811f304fabbd00f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5faed03cb2e708b5d4c38f1c7b6e7b5d4
SHA14beb2004b24ff1d9f45109fc747e1cd3a431a220
SHA256556be3b1cabf4d145efe3388b719dbe45c4dfe3e754c92783d55e55ba9e19827
SHA512fc9f679247189abf79f1219cb7b400e646a7d34019a3e6372b74c418d3099bb76f3b1b10b1b03b8689990a57f1910013ff2b6a97856d0b6b3877582c4ac9cd8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD548909d08ddb7abda626dad53743a4f0b
SHA1a863128a39deda904d5fd6cda2384ddd36021121
SHA2566bb87d5a34250d348cb9675a689753af062faed550b107d671d6fbb867d61384
SHA5127852ae4beb32ab0f225a8e9c0ffc9128ebb53fad3008a686c37744161e571da192bf302b95dcf374b92fd0361dad86abd1417bbe26e903d7a5b19eac64ec880f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD504babba85019d89b13a3ef9629122cc7
SHA10b2113d60d414f893c71971de74eda3d7e04e835
SHA2567cdd162ab5dcfe6d48d39c5698191937fa9a47c756fc1616be38d076c94be377
SHA512eac0153ebe56a7bd13fde27ec0c7110d3c94cdd79af36f4637dc1efea47f1b4ad5751345e06b73d0e5e79a8d4b8cda4312bbac0ea064357ac602f885d5d02016
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5afbb37b49782b3b53f074dd18e8d33a2
SHA1cdb58bbcecc6b065a7be9c908097c39701e8cee0
SHA2561f2933cf0113e00bb981627030364b8888daafca639fcb43affd046ef2c74f00
SHA512d4c0f114cdbc969832c6d3f4d6d354a48080eb1878ecae5f34c8a21b876dca2981fb4b830d72aad12cc176a948c029873159073c55122de3efb6ed8b9d2e2c9b
-
C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exeFilesize
8.7MB
MD5e9638374a27160513f1a62827b6cf102
SHA1b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f
SHA256c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942
SHA5129632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c
-
C:\Users\Admin\AppData\Local\Temp\is-RS5VH.tmp\FileCenterSetup12.0.16.0.tmpFilesize
3.0MB
MD50acf3c16e6faca9c0aec525f53d03866
SHA15c3960b48d2b72ad02e59470d8a7b690ee826f9e
SHA2562c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151
SHA51217d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2
-
C:\Users\Admin\AppData\Local\Temp\prnInstaller.logFilesize
727B
MD5bed1074f151db8ebac73db1f088d6012
SHA191f6e5453944cc0f444cea69b12ec34d1b2e0ba1
SHA256a853a8d34d77d31b28306a81ceb7a13e82657f658e18d0237896c51bc48070eb
SHA5121393dd190f0d3f7c66b8ea2e1ddd37f273d5896e435ccd40cf9dcc8f26e9e8d872a359eb86b118632fd023c9446d3a45be3911d1a9bd94cc6bf84c0117f61af8
-
C:\Windows\Installer\MSI9BBE.tmpFilesize
1.3MB
MD55a36339a5bae618a2ef09d0adab0b602
SHA1437d251abdcfe4f9379c44336ff5b920df7a0fbf
SHA2562e1d52eec9169247f75b584f874617ea4702cf2fdf92a4306d84c354a0151674
SHA512cff119e5b719c8578d199b946fc213074d89195d63bf6cf00dc2c255cc66695d0062da2e916a22d4df4c1bb1e195f69df21c463d144ad9442defe7b3033ead2a
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\.ba\logo.pngFilesize
5KB
MD504967ef5107480ea36b3e2e97af7eb7a
SHA16efdd4484dcfcfd45b3c887c852f0abb1a02a645
SHA25663f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21
SHA51200ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\.ba\wixstdba.dllFilesize
203KB
MD50ba387d66175c20452de372f8dbb79fe
SHA15411d41a7d88291b97fb9573eb6448c72e773b70
SHA2567b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33
SHA51213ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\PkgLite64Filesize
2.6MB
MD5e91e50fc80f7d84561db5823595e5b63
SHA1b3e40b17a668586e86f346e9a7e3b8ef4838d437
SHA2563203656dcafaf1ae128dae78bab26829bf0c2c9e1c255a8ca15ed176651d8948
SHA512c9bb45c0882af7a2f5b6294fa2c29202ac529a6f1584e763a00c4812782f8274498a9c008ef0901dd67d895fd448e0eeb19a75cfe98bcd4c050c8856f97e5034
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab20036D21E40418DD3280D692958B9275Filesize
378KB
MD5bed8b8bddf71f7b921c8efac0eb69518
SHA1df2818992742ed4e80d28a94e1b0f43f280db455
SHA2563cbfff994fa8a50b2d89e0dc906eefaf50ea16b07acb8ed4478fb2b116fcb8a5
SHA5125699485985ea856d8ef3e97372e51c98eb81225c18ab5a851e1d8f574c0c9e77986563ad63e9b2118bd42edac0a39a46727306484be71af485955f9e818502d7
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab20F2A2993791BDD97B003B5578C7EAC7Filesize
2.3MB
MD5951b5426340de231c90e0be2780cc66e
SHA1fd6b966fd3270e53d8b1d660d69d4290b75b8a9d
SHA256afac74f4b16fbefff34daec002a027abab8d45b6113ce1fde320cbf2b8eec68d
SHA512038c0a171079502899366abf1101b173468a1a1997dafe94b6d217e26d5f6fec97e0d38fd4f7a70ef3d410dfdd18b7d93b3954776db3fc7ed9e91211492e0fb2
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab293E212B151FCAC5768C99D66AA8D9AEFilesize
1.8MB
MD5f7bd3fbb5859bd43e830b621c8ade037
SHA171838fa41b8906bdcb9a64eec599dafd25d92c6f
SHA256789ca746d45588380841494901a531abcf7a9a184f74af2cf049a77f489f4dc7
SHA51253dbfde654e6bdaaab257fc3968a50ee7b8e4641bdc739c55ce1697e869ac513a7f2dc72ab92074b062928d56ab6f8083c5fa8a71a16a2f6918cc52f73b81250
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab5DD1590118F3640F385DB3EB2F516E5CFilesize
17.1MB
MD5b8b961c9899ec926b1dd8258b0232626
SHA18ed4a38e4a7c856a427a068ec51539f2e630f86c
SHA256e9c26ae1625eb454e4cd78dd9ac145eeae94190f943b6fc72d250dc3acb703d7
SHA5125dbcdbaf86bb25029838b93fa5787d9833b3ac2e6861b3df405b7957f1e5355395bcc664f4a550d9d79a7d3f7d98ca740527d5a86ecd0bfe0df3e768016f1877
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab66549ACD4EE6139A64068CA8626575A9Filesize
1.5MB
MD5bf193f70c4ba12e12a592df1cdb17b40
SHA1e84a6d1cbcdc79926f7defef1ad4b7a8a651b5cb
SHA256cee91939598abb3ec23ce0dc93c7690421efdca54795997558ef0fc617442a82
SHA51223077213cb84b84096c93da33f3a23bda28bcda638ec3a9256f4ab064d8bf6f1e2860d32e6713716f35803db92fb30c4f07b0b2accccd914d7bcb75910b63d79
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab8D36E281ACA51D7FBE9AB973BE9B36E3Filesize
174KB
MD50102ec8e3aa2b964f2d7719dd00de809
SHA19a008c6acc5c70c8467621bf4a8e78930e2843a3
SHA256765cdd18ca4b9c8de8f16035ab46f740a9da9e628f24dbfe16800af41fa3122b
SHA512ee4f280449bcceb357290c1970914524fcb30931b240591cee3f540fbfe365a81f5d6201eee9e18598163f9be392062ee8cfcdf16d289c4bc2effa6061e69c94
-
C:\Windows\Temp\{ACD0BFA9-5CC3-47C2-AB6E-2A9470ADFED8}\.ba\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Windows\Temp\{ACD0BFA9-5CC3-47C2-AB6E-2A9470ADFED8}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
C:\Windows\Temp\{BD1B01B0-89EF-47A3-82A5-AD94243ED846}\.cr\PDFXLite10.exeFilesize
1.4MB
MD563ed90cdd501829a2319f8cf86c52bd2
SHA1da198bec49015e98baa5b2cb91903f659e31dd37
SHA256529bcd90e571d51a19396cb457bf7eebecf494613030389fa7c5b25b8e42757f
SHA512d8cc05a5d481e17432125d21d58c2b32696c8b3e6632f911184292a0f0b24910e9dc5cc3ae2bdc6d87e478aef81504aa34520d3bd6813517e4b9347eee0eaa19
-
C:\Windows\Temp\{F3B228E9-267B-451A-97F8-84626EF487CF}\.cr\vc_redist.x86.exeFilesize
632KB
MD586123c033231dd7e427d619ddeefd26a
SHA1608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78
-
memory/364-966-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/364-1027-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/540-18-0x00000000005E0000-0x0000000001076000-memory.dmpFilesize
10.6MB
-
memory/860-1265-0x0000000000F10000-0x0000000002528000-memory.dmpFilesize
22.1MB
-
memory/860-1135-0x0000000000F10000-0x0000000002528000-memory.dmpFilesize
22.1MB
-
memory/860-1761-0x0000000000F10000-0x0000000002528000-memory.dmpFilesize
22.1MB
-
memory/860-1762-0x0000000002BF0000-0x0000000003629000-memory.dmpFilesize
10.2MB
-
memory/860-1757-0x0000000000F10000-0x0000000002528000-memory.dmpFilesize
22.1MB
-
memory/860-1136-0x0000000002BF0000-0x0000000003629000-memory.dmpFilesize
10.2MB
-
memory/860-1033-0x0000000002BF0000-0x0000000003629000-memory.dmpFilesize
10.2MB
-
memory/860-1162-0x0000000000F10000-0x0000000002528000-memory.dmpFilesize
22.1MB
-
memory/1396-1133-0x0000000000250000-0x0000000000CE6000-memory.dmpFilesize
10.6MB
-
memory/1540-22-0x00000000005E0000-0x0000000001076000-memory.dmpFilesize
10.6MB
-
memory/1724-12-0x0000000001680000-0x0000000001681000-memory.dmpFilesize
4KB
-
memory/1724-13-0x00000000005E0000-0x0000000001076000-memory.dmpFilesize
10.6MB
-
memory/2196-1026-0x0000000000400000-0x000000000052C000-memory.dmpFilesize
1.2MB
-
memory/3364-965-0x0000000000250000-0x0000000000CE6000-memory.dmpFilesize
10.6MB
-
memory/3364-716-0x0000000000250000-0x0000000000CE6000-memory.dmpFilesize
10.6MB
-
memory/3408-659-0x0000000000210000-0x00000000009CB000-memory.dmpFilesize
7.7MB
-
memory/3480-35-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-467-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-708-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-6-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-1031-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-185-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-19-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-20-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-15-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3608-24-0x00000000005E0000-0x0000000001076000-memory.dmpFilesize
10.6MB
-
memory/3704-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/3704-1032-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3704-0-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3704-14-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3768-558-0x0000000010000000-0x00000000101C8000-memory.dmpFilesize
1.8MB
-
memory/4016-969-0x0000000000250000-0x0000000000CE6000-memory.dmpFilesize
10.6MB
-
memory/4236-660-0x0000000000250000-0x0000000000CE6000-memory.dmpFilesize
10.6MB
-
memory/4372-564-0x0000000000A50000-0x0000000000A58000-memory.dmpFilesize
32KB
-
memory/4760-668-0x0000000005EF0000-0x0000000005EF8000-memory.dmpFilesize
32KB
-
memory/4760-575-0x0000000007620000-0x0000000009B0A000-memory.dmpFilesize
36.9MB
-
memory/4760-661-0x00000000058D0000-0x0000000005E74000-memory.dmpFilesize
5.6MB
-
memory/4760-664-0x0000000005420000-0x00000000054B2000-memory.dmpFilesize
584KB
-
memory/4760-567-0x0000000000630000-0x0000000000642000-memory.dmpFilesize
72KB
-
memory/4760-690-0x00000000064E0000-0x0000000006502000-memory.dmpFilesize
136KB
-
memory/4988-1160-0x00000000008B0000-0x0000000001CF6000-memory.dmpFilesize
20.3MB
-
memory/4988-1161-0x00000000024C0000-0x0000000002EF9000-memory.dmpFilesize
10.2MB
-
memory/4988-1134-0x00000000024C0000-0x0000000002EF9000-memory.dmpFilesize
10.2MB
-
memory/5004-705-0x000002424DA30000-0x000002424DA40000-memory.dmpFilesize
64KB
-
memory/5004-706-0x000002426A590000-0x000002426CA7A000-memory.dmpFilesize
36.9MB
-
memory/5004-709-0x000002424F7A0000-0x000002424F7A8000-memory.dmpFilesize
32KB
-
memory/5004-710-0x000002424F810000-0x000002424F832000-memory.dmpFilesize
136KB
-
memory/5708-1391-0x0000000002100000-0x0000000002B39000-memory.dmpFilesize
10.2MB
-
memory/5708-1764-0x0000000002100000-0x0000000002B39000-memory.dmpFilesize
10.2MB
-
memory/5708-1763-0x00000000008B0000-0x0000000001CF6000-memory.dmpFilesize
20.3MB
