Resubmissions
25-06-2024 14:19
240625-rm6bxsvdkb 621-06-2024 15:11
240621-sknjrsygjm 617-06-2024 17:09
240617-vn6wmawhlb 1014-06-2024 13:23
240614-qmxjcawdmm 10Analysis
-
max time kernel
172s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 15:11
Static task
static1
Behavioral task
behavioral1
Sample
FileCenterSetup12.0.16.0.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
FileCenterSetup12.0.16.0.exe
Resource
win10v2004-20240611-en
General
-
Target
FileCenterSetup12.0.16.0.exe
-
Size
300.4MB
-
MD5
123556b83a3dad2f59e76602768e9536
-
SHA1
b402ded286fff73aaf9b32f075bc32029da6d461
-
SHA256
df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9
-
SHA512
bc8dc366b404756a55ab40b66bbcccc8d8b366b0f34938c14324d994118602f0be876eaa61234c18eef7ae4e797789da8dd996f023f0f67c0e053e8022dd3506
-
SSDEEP
6291456:f7u0oceu41pUlsFqvFyeGCIOo7qgB5Fapf5NN9nAug:T9r4vXi5IOyJmfAx
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
FileCenterSetup12.0.16.0.tmpPDFXLite10.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe" FileCenterSetup12.0.16.0.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe" FileCenterSetup12.0.16.0.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{3780ab31-c524-4f3b-a4db-79d692700a62} = "\"C:\\ProgramData\\Package Cache\\{3780ab31-c524-4f3b-a4db-79d692700a62}\\PDFXLite10.exe\" /burn.runonce" PDFXLite10.exe -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 59 3720 msiexec.exe 61 3720 msiexec.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
MsiExec.exedescription ioc process File opened for modification C:\Users\Public\Desktop\desktop.ini MsiExec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FileCenterUtils.exeGdPictureComReg.exeFileCenterUtils.exePDFXLite10.exeFileCenterUtils.exeFileCenter.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation FileCenterUtils.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation GdPictureComReg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation FileCenterUtils.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation PDFXLite10.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation FileCenterUtils.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation FileCenter.exe -
Drops file in System32 directory 9 IoCs
Processes:
PrnInstaller.exeprninstaller.exedescription ioc process File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml PrnInstaller.exe File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll PrnInstaller.exe File created C:\Windows\system32\pxc50pm.dll prninstaller.exe File created C:\Windows\system32\pxcpmL.dll PrnInstaller.exe File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll PrnInstaller.exe File opened for modification C:\Windows\system32\pxc50pm.dll prninstaller.exe File created C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL prninstaller.exe File created C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL prninstaller.exe File opened for modification C:\Windows\system32\pxcpmL.dll PrnInstaller.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
FileCenterSetup12.0.16.0.tmpmsiexec.exePDFX5SA_sm.tmpregsvr32.exedescription ioc process File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsjpeg2k15.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-DPUF8.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.zh-TW.xcl msiexec.exe File created C:\Program Files (x86)\FileCenter\Drivers\is-REDBN.tmp PDFX5SA_sm.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterReceipts.exe FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineRI.exe FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\DTKBarReader.dll FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\Dlltwain.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-A285U.tmp FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\ISYSreadersocr.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\Tips\is-3GOJF.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\Samples\is-JO56U.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.da-DK.xcl msiexec.exe File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\unins000.dat PDFX5SA_sm.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.fr-FR.xcl msiexec.exe File created C:\Program Files (x86)\FileCenter\Main\is-7D92Q.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-318UE.tmp FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\secman.dll.log regsvr32.exe File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsjpeg15.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.pl-PL.xcl msiexec.exe File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.pt-PT.xcl msiexec.exe File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.de-DE.xcl msiexec.exe File created C:\Program Files (x86)\FileCenter\Main\is-CFC2V.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-QOH5R.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-EGQSE.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\fonts\is-BVIL3.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\fonts\is-MLOFB.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.pt-BR.xcl msiexec.exe File opened for modification C:\Program Files (x86)\FileCenter\Main\secman64.dll FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsbarcode15.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-DNVKB.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-QV1PG.tmp FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Dcx.dll FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Ocr.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-383H0.tmp FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\PXC50uif.dll PDFX5SA_sm.tmp File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\unins000.dat PDFX5SA_sm.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateAgent.exe FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Pdf.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-NV01E.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\x86\pxcdrvL.dll msiexec.exe File created C:\Program Files (x86)\FileCenter\Main\is-2OPPB.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-GOINS.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.lt-LT.xcl msiexec.exe File created C:\Program Files (x86)\FileCenter\Main\is-T8P8D.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.he-IL.xcl msiexec.exe File created C:\Program Files (x86)\FileCenter\Main\is-R17AT.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-E4D2A.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-84QF1.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-T98JP.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-ERF69.tmp FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Uninstall\FileCenter\unins000.dat FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.tr-TR.xcl msiexec.exe File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAgent64.dll FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\clgsapi32w.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\fonts\is-OMPGS.tmp FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe PDFX5SA_sm.tmp File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-067TQ.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-6T5PN.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-H3D4B.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-35J24.tmp FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenter.exe FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsdocout15.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\fonts\is-1SEVS.tmp FileCenterSetup12.0.16.0.tmp -
Drops file in Windows directory 20 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI9C5B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9DF6.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6318D993-1BE8-4BE4-B9E9-D6BFED11A071} msiexec.exe File opened for modification C:\Windows\Installer\MSI9F40.tmp msiexec.exe File created C:\Windows\Installer\e5897d6.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco msiexec.exe File opened for modification C:\Windows\Installer\MSI9BBE.tmp msiexec.exe File created C:\Windows\Installer\e5897da.msi msiexec.exe File opened for modification C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco msiexec.exe File opened for modification C:\Windows\Installer\MSIA443.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA4C1.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5897d6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9EE1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9DB6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA319.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9C8B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D48.tmp msiexec.exe -
Executes dropped EXE 30 IoCs
Processes:
FileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeGdPictureComReg.exevc_redist.x86.exevc_redist.x86.exeFileCenterAutomateService.exeFileCenterUtils.exePDFXLite10.exePDFXLite10.exePDFXLite10.exePrnInstaller.exepdfSaverL.exepdfSaverL.exeFileCenterUtils.exePDFX5SA_sm.exePDFX5SA_sm.tmpprninstaller.exepdfSaver5.exeXCVault.exeFileCenter.exepdfSaverL.exepdfSaverL.exeFileCenterUtils.exeFileCenterAgent.exeFileCenterAgent.exepid process 3480 FileCenterSetup12.0.16.0.tmp 1724 FileCenterUtils.exe 540 FileCenterUtils.exe 1540 FileCenterUtils.exe 3608 FileCenterUtils.exe 4236 FileCenterUtils.exe 4372 GdPictureComReg.exe 4960 vc_redist.x86.exe 1532 vc_redist.x86.exe 3408 FileCenterAutomateService.exe 3364 FileCenterUtils.exe 3664 PDFXLite10.exe 4464 PDFXLite10.exe 2668 PDFXLite10.exe 4892 PrnInstaller.exe 2072 1564 pdfSaverL.exe 3532 pdfSaverL.exe 4016 FileCenterUtils.exe 364 PDFX5SA_sm.exe 2196 PDFX5SA_sm.tmp 1068 prninstaller.exe 3728 pdfSaver5.exe 4760 XCVault.exe 860 FileCenter.exe 5064 pdfSaverL.exe 3332 pdfSaverL.exe 1396 FileCenterUtils.exe 4988 FileCenterAgent.exe 5708 FileCenterAgent.exe -
Loads dropped DLL 34 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregasm.exevc_redist.x86.exePDFXLite10.exeMsiExec.exeMsiExec.exePDFX5SA_sm.tmpFileCenter.exeFileCenterAgent.exeFileCenterAgent.exepid process 5024 regsvr32.exe 3304 regsvr32.exe 3596 regsvr32.exe 3768 regsvr32.exe 3388 regsvr32.exe 376 regsvr32.exe 376 regsvr32.exe 4760 regasm.exe 4760 regasm.exe 4760 regasm.exe 4760 regasm.exe 1532 vc_redist.x86.exe 4464 PDFXLite10.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 1968 MsiExec.exe 2116 MsiExec.exe 2116 MsiExec.exe 1968 MsiExec.exe 2196 PDFX5SA_sm.tmp 2072 2072 860 FileCenter.exe 860 FileCenter.exe 860 FileCenter.exe 860 FileCenter.exe 4988 FileCenterAgent.exe 4988 FileCenterAgent.exe 5708 FileCenterAgent.exe 5708 FileCenterAgent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a1a8d825d9cc14480000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a1a8d8250000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a1a8d825000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da1a8d825000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a1a8d82500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 27 IoCs
Processes:
TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exepid process 5096 TASKKILL.exe 4448 TASKKILL.exe 4308 TASKKILL.exe 5828 TASKKILL.exe 4952 TASKKILL.exe 3776 TASKKILL.exe 428 TASKKILL.exe 4284 TASKKILL.exe 3576 TASKKILL.exe 3452 TASKKILL.exe 4756 TASKKILL.exe 3664 TASKKILL.exe 2968 TASKKILL.exe 5064 TASKKILL.exe 2244 TASKKILL.exe 180 TASKKILL.exe 4700 TASKKILL.exe 5836 TASKKILL.exe 4220 TASKKILL.exe 5024 TASKKILL.exe 4896 TASKKILL.exe 1952 TASKKILL.exe 3544 TASKKILL.exe 1440 TASKKILL.exe 4016 TASKKILL.exe 1068 TASKKILL.exe 3724 TASKKILL.exe -
Processes:
msiexec.exePDFX5SA_sm.tmpdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40} PDFX5SA_sm.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe" PDFX5SA_sm.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\" PDFX5SA_sm.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3" PDFX5SA_sm.tmp Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\" msiexec.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe -
Modifies registry class 64 IoCs
Processes:
regasm.exeregasm.exeregsvr32.exeXCVault.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6E145F8-828D-36C9-9FAD-24DAFD63BE9A}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AC305882-1ABA-3F2C-A65E-21C65724405D}\ = "_AnnotationComment" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6835517-900C-37F4-B861-936E79F91A48}\InprocServer32 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83328EEE-6A61-41A5-AC05-CBEEB93FB630} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F578A25-D034-35D4-86DE-F5B986E0AC71}\TypeLib regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8E2CC9E0-0E1D-3BB4-978C-49CB86E5389F}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{47E0ED94-1A20-3001-B99E-93B943446B6D} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00A6C0B2-9F12-3145-BBA5-DC5D71A5963B}\ = "_ControlMouseWheelEventHandler" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E44BB2E-FE28-495A-9D65-B4845C676567}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{419BF6AA-AA35-3FBC-B01B-554F71547437}\14.2.69.0\RuntimeVersion = "v4.0.30319" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1737240B-9039-3E31-B522-2E6D9ED279E0}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3C2B51C-003A-4D39-A90A-BB4486BF1E2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{68536869-DF6F-30E7-8388-90030E7F9FDF}\14.2.69.0\Class = "GdPicture14.PdfSignatureHash" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56169002-DDE6-3E69-B5A6-F822875A8F98} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GdPicture14.GdPicturePDFReducer\CLSID regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12A9C2C4-700D-3621-BF41-CA4109FB648A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{04F02086-5AEB-39DB-AFBE-B01E669F37FB}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F7817FE-ED49-4111-A10D-B187262CF499}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51DE5D08-F43E-386D-AE8D-9A8EEF3C7B60}\InprocServer32\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1FB2340C-1E2A-3B9C-A78E-28C55F46EC7C}\14.2.69.0\Class = "GdPicture14.PdfDocumentMergingOptions" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A746F33A-F50D-383F-880C-8B2EF54A38D3}\14.2.69.0\Class = "GdPicture14.MICRContext" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8756C601-DB33-3E27-A201-89D054D1148A}\TypeLib regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F6F77C6-6570-3583-B9E4-95C1551B0455}\TypeLib regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EF5FC277-ED69-3343-8AF7-B140C21CE2E2}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64C637FA-F48B-34D1-A304-DC66BA9197C7}\TypeLib\Version = "e.2" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC70B8EB-6829-3575-8A6C-F50F1F17132F} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B49BC40E-9DA8-39EA-B326-2FED8F629A16}\14.2.69.0\Class = "GdPicture14.PdfAnnotationFlag" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C514BAF9-7532-33E9-9198-CDDC695B414B}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BB35E2D7-12DB-4DD7-AE5E-43B6E2B9D163}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{999A6C12-A602-4601-9866-0B9AE973B7F2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6F64923D-567C-4603-82D9-1AAABB307C20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{37E99E54-EBC0-3812-8B9C-9694F16FF3F3} regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B27E7FF-6279-49DA-AE6B-8E13AD665B1F}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2666B658-5DDB-3409-9EDC-8B7A7AADFC26}\14.2.69.0\RuntimeVersion = "v4.0.30319" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96AAC88F-80CA-43E8-8576-8221FA5608B2}\ProxyStubClsid32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{206530FD-ED79-48C5-A590-4FC73CF3BD58}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{732C85A4-B68F-4D3F-920A-B13DB0BDC9C8}\Implemented Categories regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C5CE95F-3FC4-4FE8-8159-21D550451AF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78874680-AE90-4F97-8236-5016AFFE6569}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70026DA6-0CB8-4F47-8789-5DEF9F2BC4A1}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1A4B2A31-5192-353E-BD93-76DEE87DB99E}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D6A9405-9A84-362E-875E-2B6C1801C196}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AC50C196-9EF9-3BFB-8E62-BC5CE6779E4C}\TypeLib regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DAAB4CCC-0DED-382B-B4B8-533519BED688}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A527388D-E382-4227-BDAA-D8278C7B1924}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8ACDBCC-219F-3158-9143-5ADD1D753CFE}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EB0BFF89-7F16-360E-A5B8-7D5E5BCF7CB3}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{47BD6E57-590F-325A-90B0-DA2B5F691A9B}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\ = "mscoree.dll" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E6A9E70-4B40-48C5-A77E-1E6489C96521}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CED0F57-B96A-4CF2-83B8-130E544A2644}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XCVault\DefaultIcon\ = "\"C:\\Program Files (x86)\\FileCenter\\Drivers\\Vault\\XCVault.exe\", 1" XCVault.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C8238AD-4C2C-480B-8945-747DACCD06EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76F6C77B-0FFF-43F5-8DE3-0715163D80DD} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C0F85EB-00C8-33F4-8407-D77C223841B9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{50B4C2D7-BD1F-3AA0-B81F-8C1054BC813E}\14.2.69.0 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEF95872-5108-3B21-945F-2AC999C690F9}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BB55E4-30AD-3EE8-A1F7-58A9B4A6F59D}\TypeLib\Version = "e.2" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4632AD28-FA8B-3BAA-BA67-C9C604AB0F9D}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GdPicture14.GdPicturePDF\CLSID\ = "{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2149EA7-B58E-378B-8E52-70645A0BEC94}\TypeLib regasm.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
FileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeregsvr32.exeFileCenterAutomateService.exeFileCenterUtils.exemsiexec.exeMsiExec.exeFileCenterUtils.exePDFX5SA_sm.tmpFileCenter.exeFileCenterUtils.exeFileCenterAgent.exemsedge.exemsedge.exeidentity_helper.exeFileCenterAgent.exepid process 1724 FileCenterUtils.exe 1724 FileCenterUtils.exe 540 FileCenterUtils.exe 540 FileCenterUtils.exe 1540 FileCenterUtils.exe 1540 FileCenterUtils.exe 3480 FileCenterSetup12.0.16.0.tmp 3480 FileCenterSetup12.0.16.0.tmp 3608 FileCenterUtils.exe 3608 FileCenterUtils.exe 376 regsvr32.exe 376 regsvr32.exe 3408 FileCenterAutomateService.exe 3408 FileCenterAutomateService.exe 3364 FileCenterUtils.exe 3364 FileCenterUtils.exe 3720 msiexec.exe 3720 msiexec.exe 1968 MsiExec.exe 1968 MsiExec.exe 4016 FileCenterUtils.exe 4016 FileCenterUtils.exe 2196 PDFX5SA_sm.tmp 2196 PDFX5SA_sm.tmp 860 FileCenter.exe 860 FileCenter.exe 1396 FileCenterUtils.exe 1396 FileCenterUtils.exe 4988 FileCenterAgent.exe 4988 FileCenterAgent.exe 2756 msedge.exe 2756 msedge.exe 1752 msedge.exe 1752 msedge.exe 3724 identity_helper.exe 3724 identity_helper.exe 5708 FileCenterAgent.exe 5708 FileCenterAgent.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe -
Suspicious behavior: SetClipboardViewer 6 IoCs
Processes:
FileCenter.exeFileCenterAgent.exepid process 860 FileCenter.exe 860 FileCenter.exe 860 FileCenter.exe 860 FileCenter.exe 4988 FileCenterAgent.exe 4988 FileCenterAgent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exevssvc.exePDFXLite10.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4756 TASKKILL.exe Token: SeDebugPrivilege 3544 TASKKILL.exe Token: SeDebugPrivilege 3576 TASKKILL.exe Token: SeDebugPrivilege 1068 TASKKILL.exe Token: SeDebugPrivilege 4284 TASKKILL.exe Token: SeDebugPrivilege 4952 TASKKILL.exe Token: SeDebugPrivilege 5096 TASKKILL.exe Token: SeDebugPrivilege 3724 TASKKILL.exe Token: SeDebugPrivilege 4448 TASKKILL.exe Token: SeDebugPrivilege 3664 TASKKILL.exe Token: SeDebugPrivilege 3776 TASKKILL.exe Token: SeDebugPrivilege 5024 TASKKILL.exe Token: SeDebugPrivilege 4220 TASKKILL.exe Token: SeDebugPrivilege 5064 TASKKILL.exe Token: SeBackupPrivilege 3552 vssvc.exe Token: SeRestorePrivilege 3552 vssvc.exe Token: SeAuditPrivilege 3552 vssvc.exe Token: SeShutdownPrivilege 2668 PDFXLite10.exe Token: SeIncreaseQuotaPrivilege 2668 PDFXLite10.exe Token: SeSecurityPrivilege 3720 msiexec.exe Token: SeCreateTokenPrivilege 2668 PDFXLite10.exe Token: SeAssignPrimaryTokenPrivilege 2668 PDFXLite10.exe Token: SeLockMemoryPrivilege 2668 PDFXLite10.exe Token: SeIncreaseQuotaPrivilege 2668 PDFXLite10.exe Token: SeMachineAccountPrivilege 2668 PDFXLite10.exe Token: SeTcbPrivilege 2668 PDFXLite10.exe Token: SeSecurityPrivilege 2668 PDFXLite10.exe Token: SeTakeOwnershipPrivilege 2668 PDFXLite10.exe Token: SeLoadDriverPrivilege 2668 PDFXLite10.exe Token: SeSystemProfilePrivilege 2668 PDFXLite10.exe Token: SeSystemtimePrivilege 2668 PDFXLite10.exe Token: SeProfSingleProcessPrivilege 2668 PDFXLite10.exe Token: SeIncBasePriorityPrivilege 2668 PDFXLite10.exe Token: SeCreatePagefilePrivilege 2668 PDFXLite10.exe Token: SeCreatePermanentPrivilege 2668 PDFXLite10.exe Token: SeBackupPrivilege 2668 PDFXLite10.exe Token: SeRestorePrivilege 2668 PDFXLite10.exe Token: SeShutdownPrivilege 2668 PDFXLite10.exe Token: SeDebugPrivilege 2668 PDFXLite10.exe Token: SeAuditPrivilege 2668 PDFXLite10.exe Token: SeSystemEnvironmentPrivilege 2668 PDFXLite10.exe Token: SeChangeNotifyPrivilege 2668 PDFXLite10.exe Token: SeRemoteShutdownPrivilege 2668 PDFXLite10.exe Token: SeUndockPrivilege 2668 PDFXLite10.exe Token: SeSyncAgentPrivilege 2668 PDFXLite10.exe Token: SeEnableDelegationPrivilege 2668 PDFXLite10.exe Token: SeManageVolumePrivilege 2668 PDFXLite10.exe Token: SeImpersonatePrivilege 2668 PDFXLite10.exe Token: SeCreateGlobalPrivilege 2668 PDFXLite10.exe Token: SeRestorePrivilege 3720 msiexec.exe Token: SeTakeOwnershipPrivilege 3720 msiexec.exe Token: SeRestorePrivilege 3720 msiexec.exe Token: SeTakeOwnershipPrivilege 3720 msiexec.exe Token: SeRestorePrivilege 3720 msiexec.exe Token: SeTakeOwnershipPrivilege 3720 msiexec.exe Token: SeRestorePrivilege 3720 msiexec.exe Token: SeTakeOwnershipPrivilege 3720 msiexec.exe Token: SeRestorePrivilege 3720 msiexec.exe Token: SeTakeOwnershipPrivilege 3720 msiexec.exe Token: SeRestorePrivilege 3720 msiexec.exe Token: SeTakeOwnershipPrivilege 3720 msiexec.exe Token: SeRestorePrivilege 3720 msiexec.exe Token: SeTakeOwnershipPrivilege 3720 msiexec.exe Token: SeRestorePrivilege 3720 msiexec.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
Processes:
FileCenterSetup12.0.16.0.tmpPDFX5SA_sm.tmpFileCenterAgent.exemsedge.exeFileCenterAgent.exepid process 3480 FileCenterSetup12.0.16.0.tmp 2196 PDFX5SA_sm.tmp 2196 PDFX5SA_sm.tmp 4988 FileCenterAgent.exe 4988 FileCenterAgent.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 5708 FileCenterAgent.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
FileCenterAgent.exemsedge.exeFileCenterAgent.exepid process 4988 FileCenterAgent.exe 4988 FileCenterAgent.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 5708 FileCenterAgent.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
FileCenter.exeFileCenterAgent.exeFileCenterAgent.exepid process 860 FileCenter.exe 860 FileCenter.exe 860 FileCenter.exe 4988 FileCenterAgent.exe 5708 FileCenterAgent.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
FileCenterSetup12.0.16.0.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeGdPictureComReg.exevc_redist.x86.exedescription pid process target process PID 3704 wrote to memory of 3480 3704 FileCenterSetup12.0.16.0.exe FileCenterSetup12.0.16.0.tmp PID 3704 wrote to memory of 3480 3704 FileCenterSetup12.0.16.0.exe FileCenterSetup12.0.16.0.tmp PID 3704 wrote to memory of 3480 3704 FileCenterSetup12.0.16.0.exe FileCenterSetup12.0.16.0.tmp PID 3480 wrote to memory of 1724 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 1724 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 1724 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 540 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 540 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 540 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 1540 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 1540 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 1540 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 1540 wrote to memory of 4284 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 4284 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 4284 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 4756 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 4756 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 4756 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 3576 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 3576 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 3576 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 5096 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 5096 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 5096 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 1068 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 1068 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 1068 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 3544 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 3544 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 3544 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 4952 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 4952 1540 FileCenterUtils.exe TASKKILL.exe PID 1540 wrote to memory of 4952 1540 FileCenterUtils.exe TASKKILL.exe PID 3480 wrote to memory of 3608 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 3608 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 3608 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3608 wrote to memory of 3724 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 3724 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 3724 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 4220 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 4220 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 4220 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 3664 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 3664 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 3664 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 5024 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 5024 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 5024 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 4448 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 4448 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 4448 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 5064 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 5064 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 5064 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 3776 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 3776 3608 FileCenterUtils.exe TASKKILL.exe PID 3608 wrote to memory of 3776 3608 FileCenterUtils.exe TASKKILL.exe PID 3480 wrote to memory of 4236 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 4236 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 3480 wrote to memory of 4236 3480 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 4372 wrote to memory of 4760 4372 GdPictureComReg.exe regasm.exe PID 4372 wrote to memory of 4760 4372 GdPictureComReg.exe regasm.exe PID 4372 wrote to memory of 4760 4372 GdPictureComReg.exe regasm.exe PID 4960 wrote to memory of 1532 4960 vc_redist.x86.exe vc_redist.x86.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-RS5VH.tmp\FileCenterSetup12.0.16.0.tmp"C:\Users\Admin\AppData\Local\Temp\is-RS5VH.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$B004E,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtilsInfo.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtilsInfo.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe" -CLOSEALL3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterPortal.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReceipts.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReports.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exe" -INSTBEG3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterPortal.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReceipts.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReports.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb5⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb5⤵
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"4⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{F3B228E9-267B-451A-97F8-84626EF487CF}\.cr\vc_redist.x86.exe"C:\Windows\Temp\{F3B228E9-267B-451A-97F8-84626EF487CF}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=656 -burn.filehandle.self=684 /install /quiet /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"4⤵
- Executes dropped EXE
-
C:\Windows\Temp\{BD1B01B0-89EF-47A3-82A5-AD94243ED846}\.cr\PDFXLite10.exe"C:\Windows\Temp\{BD1B01B0-89EF-47A3-82A5-AD94243ED846}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\.be\PDFXLite10.exe"C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{3089B57C-9094-44BA-BA10-3614CF53ECA8} {4BB312B7-88F9-4A14-B253-802C48B2D910} 44646⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"4⤵
- Executes dropped EXE
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HQGH8.tmp\PDFX5SA_sm.tmp"C:\Users\Admin\AppData\Local\Temp\is-HQGH8.tmp\PDFX5SA_sm.tmp" /SL5="$40306,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"5⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "6⤵
- Drops file in System32 directory
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install6⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 3A006377990EC9937D1C961010FD2B2F2⤵
- Drops desktop.ini file(s)
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding F232A69EE1107F9D300AD5D8C5758EDD E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"2⤵
- Drops file in System32 directory
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"2⤵
- Executes dropped EXE
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -OLOFF2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterAgent.exe2⤵
- Kills process with taskkill
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.filecenter.com/action.php?Action=Welcome&Refresh=1&ProductKey=&KeyID=-1&PTID=1&SourceID=-1&CustomID=-1&VerID=-1&PartnerID=0&WelcomeID=0&Version=12.0.16.0&CN=TMUACBLB&UN=Admin&Trial=0&DaysLeft=0&s=&cnt1=&cnt2=&cnt3=&cnt4=&cnt5=&cnt6=&cnt7=&cnt8=&cnt9=&x=12352⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe741c46f8,0x7ffe741c4708,0x7ffe741c47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5280 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,6120458283947926172,18309813826532575096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe2⤵
- Kills process with taskkill
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x304 0x2f41⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5897d9.rbsFilesize
35KB
MD5bfab6019b14f541b0e31c1d43e5dfb92
SHA11d12773c2393b6fe12c4fbb3427465d02220a542
SHA2566c8724445ab56d87dac4c2fc2dc1ba75ba668d80fcb17cd9ef95c82872d66ced
SHA5128fb569ba6b2769bb891720d49cf31014cae4514b7dd8ca6ed53f9712b1078b8ea28ae8f69295a96d56c8c8b7a62279ac80c0ce3c95d9a33a7c22ca1d9c2ddae9
-
C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dllFilesize
593KB
MD52fbf69d014ae135d473ec8243d44be9e
SHA12c28d3b23d8ff061ae554ccd92aec93900e3cb2b
SHA2566f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3
SHA512530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654
-
C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exeFilesize
40.5MB
MD54c61ee01d5b84db67c38c10d3f210f39
SHA1844eab66505dc4eb88dec70c3f20307365c350ac
SHA256a7e10bda5cb2e1c347b2ee682385fd56ff5da05c659c665abc0b526f639a5583
SHA512a44a2bd871c9f0f654b0e627accc9d4388390e5e5b7326a3372a103886d74b89ab78e235e1b986da9acf0f08fdf45b642ec26000bbe32de92a44b1978f4c2f80
-
C:\Program Files (x86)\FileCenter\Main\FileCenter.exeFilesize
20.1MB
MD5879d5b401a73cc57a3166ba01ce70c60
SHA1ee8b47af48514a3b65f4ee838c95e7a3a64d3434
SHA25682da544c9d730c17c34a253c29fd7d621e8cdc064e0220c27e43bb0dd60c4ebe
SHA5126e49343acca8ab878b4cf9e12ce4d796decd7f44c7068f8d90f5ad2eebbab31c15c82bbf66bcb571120a9bf8e375055558308d00b66053591c6ec94fb514b3b6
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dllFilesize
13.0MB
MD52b9bbd88d6b6a3b7c417cbb0eae69bf4
SHA1c43ab9fa5c1085ba21280d143f8b8322d6a93883
SHA2561e5f8dbd4c08faf3a0a84b6af17454d9d21459618b411696b9604af80ee9fc0f
SHA512f07ae3e76066960a3b657146b83da724ca13873edd82d7314d048593c3e6021ced3297459d46a30daf95189631bfd4c941e44d91433549dcc70efb5407543a30
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.iniFilesize
27B
MD570da425f8aac14b1484047edb83e60e8
SHA169d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exeFilesize
7.7MB
MD542d9ffbb0b7ef3cbdeb0c005619b12fb
SHA1fbaed95c25aa26c43121e8421b5154e9e5dcdca0
SHA25659e5b75c18c82acf2d94a1fd9b0a67af6795d594e1f837df1a80eec66671d307
SHA512c77b91ca41b13bb471ced5346f998805430a33e210c09c0d7e0b0a7573d9e95da1bc5e351df08c871e1c3e962b3ec4b9fdb5ef5cc806fd87ef42f50ddd99d7cb
-
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dllFilesize
36.9MB
MD5d9806fd0eeafd9f89e0473ad52889283
SHA1d6fca558897aaa6703129557e2d02b1a84765dcb
SHA256aa2aafe588aecd1a10bf05dcd675143061a55bcd5bc83bd749bde7b85d21dbc6
SHA512796c609dc6fa4c6fe1e6909ae3a4a22cc06c900f34b999d77a9805767f69f1b1d96a99e9ee03ad6ab68e7f6bb5fa3269c1d73db4af68a2834bfd5cbf2fe91422
-
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlbFilesize
356KB
MD5235af799cc5b5f0a846387765b004455
SHA17f766bc88ddca173a9118c2af7e8c04d03e9ffed
SHA256bf1342653bad546aeda012fff620fa8455145fefd81eb9d1d9bb5d0c970d5864
SHA512586192941caf51fcda886f859bbea0c02d0659857bf36d0a011a6207e5fd4d0cf877f8098003d66438e01d1684aef542dd96dcad637a698827e966b1103ec1b7
-
C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exeFilesize
21KB
MD5b9718823c993fccb6352cc0210993569
SHA14d551f7cafd0040ff9657ca644c1365f3e7847ae
SHA256a173ba320929c93b9bf41186a0692d753da812b8691dcc416c16abdf004dbf89
SHA5126e513ef7535539cff90e88b95c5f57bb9e262cebbf1e51bc8268595347fbf06f628cf16eaa974d7eccd2a285ff2f8f56867c4292c1fe4fb7b0ee90f5acee9747
-
C:\Program Files (x86)\FileCenter\Main\VSTwain.dllFilesize
573KB
MD513f5f7e228ce2b8a3a41dbad4e451279
SHA11b3837572602b2620b75bf2ad2aeab89a64f5287
SHA25611b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292
SHA51224ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d
-
C:\Program Files (x86)\FileCenter\Main\dten600.dllFilesize
7.7MB
MD522cf875a0cf0ad89f5f7d7ac6628a598
SHA1c2a9620579a08d6a91557e6cb8f1d2585392d30d
SHA25611ef1b8791cfd8fee0923ec685ae1d29485349ce7d2d37a15ae1615e8d646baf
SHA5123b59898730a9eb4a8f4347b8c854983636b28f6641b072fdd0d7f9190b905fc9b03dcf204154072048dc1a6a24785d2aead865b5bf160c9af9df87cf4175c608
-
C:\Program Files (x86)\FileCenter\Main\lbvProt.dllFilesize
532KB
MD5120387e48d0556538ef3ee68de18a707
SHA10633de57f7ef851115be39d407db8e08986b3d93
SHA256e202172ad8799ee0feee2559ac06f2cf75530f702f7e11d0cb4c1b3ec57eae4e
SHA512a7509c2822bd7f08b5e67dfbd3d9ac701639599b5681966f5276f51e60608dcd7dafaa953f7589d99de7ba7b68eaa56be0ecb2c074f5c4ba6ba114880507b1da
-
C:\Program Files (x86)\FileCenter\Main\secman.dllFilesize
146KB
MD5085d87f49daf13496e0e018c4008fae6
SHA14b0c3058b8ace7e8242c941b449daa968f5b45c7
SHA256d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15
SHA51252886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b
-
C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exeFilesize
13.6MB
MD535b40b21383ac38487ceec8ab6e53565
SHA159894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA5123a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e
-
C:\ProgramData\FileCenter\ColumnStatesCab.iniFilesize
2KB
MD5c085fbcff41848caba96006fe269ee66
SHA17699c00b4007d7411f273c14520bde6287839ac2
SHA256430e377c78f8ae5bd5f088e83d31178b53306270457144c8ad56a5643cd9edbc
SHA512c6e71cc4dd3c2c4d01906c61bc4c4fc0061e90690448f51b18e3d80efc664e59d541f7dc5f6bfc9952ff522555dd31cca06325643ea060d46a93c83a3ff34e8b
-
C:\ProgramData\FileCenter\ColumnStatesCab.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\FileCenter\Config.iniFilesize
42B
MD54a2b0b2d8d08db9fcc6eae2e25c9b4d1
SHA1bcbd9242fe7ad0afabb143453d732657cfc79ede
SHA25670bc9116d9db8cee6aaf87d19d323fc4961f90116b9a61281a981a461505974e
SHA5125dc550410f15e4f64e637f61d8b6b09024b7502202ddd346463ac05b962d9bd6c3aecce6b85e089ca53184e99753cb2b137fae9ea26334d8044a0266742f6826
-
C:\ProgramData\FileCenter\Config.iniFilesize
23B
MD5b2ad8f8dcc45644ea167317d050faac4
SHA1215091d6ad9d4f210b85e675b17c60a7300ca9b1
SHA2569aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0
SHA512528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4
-
C:\ProgramData\FileCenter\Intercepts.iniFilesize
6KB
MD5293bfe23c32bd1332e4caf09e9bb347d
SHA11777f80e58dcc9b37cf87d73a4680723c7b87461
SHA2563f6dd37419d2c2075812e0a104d0603d78a5cf1b378154e8d71c30c37de84264
SHA5120ec00fc8b45d2fa205be404a37546772919f891d439e336dd601c0961355dd9afdbae983c254a9760207ea15b7b446b7b9d90ad93f7b938aeb74e838204be194
-
C:\ProgramData\FileCenter\Logs\Hooks_Last.txtFilesize
998B
MD534d2701eb65edf48a974a92eb049513c
SHA13303a25b98043e964c7ddd2c70e2b4f7b425fc71
SHA256e668a308bc06355ed17a9f4e65673885addebba5ae22151e53ba9e6ca83c2165
SHA51243fd0110519fdd7d2794dd9398eb4bc4f72e59291e7e4ea19cc4a44a6fbd2f86ec602b3bed6c7ed35b75c5323654c1d09893cbb2c52eae69fadb8dbdc95a9683
-
C:\ProgramData\FileCenter\MRUPDFEditor.iniFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\ProgramData\FileCenter\MyPortal.iniFilesize
26B
MD58af40c2a9db1af603163ed8b0e25a3d0
SHA136db1a9baec9e7d6d17073529afff9df063e68d9
SHA25664b92b073e9519d07676100c694c63207f45b561ce66594b8728eae023ba0705
SHA5122662a09e1cd148cbb4ee1124e4fdac6561699f447c986992651ff8fb8e7d005803b74ce5c1bb65c6f916ab1407894fabd453735c10378a94d5c918b1fe66688d
-
C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txtFilesize
1KB
MD538c429561d5cf71f788735fc7d5ce1ee
SHA11d2101ab10694fa4fe89386e62315d66fcaa19ce
SHA256957588b4273c972016fe6a5c513b0697b5964b4f6acfabd43481a8d5211ccd6d
SHA512dcaca6eda0d2c44d0ad68c4bc0da0a47e998ea889379c839af4c38c36495f8111f81ff8e4c7114e826d73a584b84d3101845d1a06534b00a5b598d7c06f3bf3d
-
C:\ProgramData\FileCenter\Settings\HUBData_Lock.tmpFilesize
14B
MD5724deba0ee02aa7ad576295d784b1230
SHA1f4f36556c9babc24a278f5f2ddcce4bff6a64bc7
SHA256a98ebebe7123b54822d1250f6264dd8d971e47d5cc718fac967d2dd2374365ac
SHA5123855cea9f71c3905baa510a42cf397da2b9f4f27cd071246e72911e646d6f5ba93fb120cb1a2f4d3e6a73d3d5ec40afc6dfbfb9e495e9bb9a2296930b1702239
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
528B
MD5b13ebbaa916caeb947b5cfe647254aba
SHA19f14797bac9241a5c8b8c5de95b970f268a6a51e
SHA25668b37a30bb89b2b165ffe3da6b8c4d5b24a88db76d93c2d7068b05d663d64352
SHA512af1ec682dfc366ffa13330de3206cbffaf9749a16179804e85fe0660c2a1ecf68590870cb0ce304ff8fb05b4cf2f039d196ed6e9893acac9811f304fabbd00f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5faed03cb2e708b5d4c38f1c7b6e7b5d4
SHA14beb2004b24ff1d9f45109fc747e1cd3a431a220
SHA256556be3b1cabf4d145efe3388b719dbe45c4dfe3e754c92783d55e55ba9e19827
SHA512fc9f679247189abf79f1219cb7b400e646a7d34019a3e6372b74c418d3099bb76f3b1b10b1b03b8689990a57f1910013ff2b6a97856d0b6b3877582c4ac9cd8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD548909d08ddb7abda626dad53743a4f0b
SHA1a863128a39deda904d5fd6cda2384ddd36021121
SHA2566bb87d5a34250d348cb9675a689753af062faed550b107d671d6fbb867d61384
SHA5127852ae4beb32ab0f225a8e9c0ffc9128ebb53fad3008a686c37744161e571da192bf302b95dcf374b92fd0361dad86abd1417bbe26e903d7a5b19eac64ec880f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD504babba85019d89b13a3ef9629122cc7
SHA10b2113d60d414f893c71971de74eda3d7e04e835
SHA2567cdd162ab5dcfe6d48d39c5698191937fa9a47c756fc1616be38d076c94be377
SHA512eac0153ebe56a7bd13fde27ec0c7110d3c94cdd79af36f4637dc1efea47f1b4ad5751345e06b73d0e5e79a8d4b8cda4312bbac0ea064357ac602f885d5d02016
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5afbb37b49782b3b53f074dd18e8d33a2
SHA1cdb58bbcecc6b065a7be9c908097c39701e8cee0
SHA2561f2933cf0113e00bb981627030364b8888daafca639fcb43affd046ef2c74f00
SHA512d4c0f114cdbc969832c6d3f4d6d354a48080eb1878ecae5f34c8a21b876dca2981fb4b830d72aad12cc176a948c029873159073c55122de3efb6ed8b9d2e2c9b
-
C:\Users\Admin\AppData\Local\Temp\is-MEEF7.tmp\FileCenterUtils.exeFilesize
8.7MB
MD5e9638374a27160513f1a62827b6cf102
SHA1b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f
SHA256c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942
SHA5129632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c
-
C:\Users\Admin\AppData\Local\Temp\is-RS5VH.tmp\FileCenterSetup12.0.16.0.tmpFilesize
3.0MB
MD50acf3c16e6faca9c0aec525f53d03866
SHA15c3960b48d2b72ad02e59470d8a7b690ee826f9e
SHA2562c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151
SHA51217d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2
-
C:\Users\Admin\AppData\Local\Temp\prnInstaller.logFilesize
727B
MD5bed1074f151db8ebac73db1f088d6012
SHA191f6e5453944cc0f444cea69b12ec34d1b2e0ba1
SHA256a853a8d34d77d31b28306a81ceb7a13e82657f658e18d0237896c51bc48070eb
SHA5121393dd190f0d3f7c66b8ea2e1ddd37f273d5896e435ccd40cf9dcc8f26e9e8d872a359eb86b118632fd023c9446d3a45be3911d1a9bd94cc6bf84c0117f61af8
-
C:\Windows\Installer\MSI9BBE.tmpFilesize
1.3MB
MD55a36339a5bae618a2ef09d0adab0b602
SHA1437d251abdcfe4f9379c44336ff5b920df7a0fbf
SHA2562e1d52eec9169247f75b584f874617ea4702cf2fdf92a4306d84c354a0151674
SHA512cff119e5b719c8578d199b946fc213074d89195d63bf6cf00dc2c255cc66695d0062da2e916a22d4df4c1bb1e195f69df21c463d144ad9442defe7b3033ead2a
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\.ba\logo.pngFilesize
5KB
MD504967ef5107480ea36b3e2e97af7eb7a
SHA16efdd4484dcfcfd45b3c887c852f0abb1a02a645
SHA25663f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21
SHA51200ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\.ba\wixstdba.dllFilesize
203KB
MD50ba387d66175c20452de372f8dbb79fe
SHA15411d41a7d88291b97fb9573eb6448c72e773b70
SHA2567b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33
SHA51213ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\PkgLite64Filesize
2.6MB
MD5e91e50fc80f7d84561db5823595e5b63
SHA1b3e40b17a668586e86f346e9a7e3b8ef4838d437
SHA2563203656dcafaf1ae128dae78bab26829bf0c2c9e1c255a8ca15ed176651d8948
SHA512c9bb45c0882af7a2f5b6294fa2c29202ac529a6f1584e763a00c4812782f8274498a9c008ef0901dd67d895fd448e0eeb19a75cfe98bcd4c050c8856f97e5034
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab20036D21E40418DD3280D692958B9275Filesize
378KB
MD5bed8b8bddf71f7b921c8efac0eb69518
SHA1df2818992742ed4e80d28a94e1b0f43f280db455
SHA2563cbfff994fa8a50b2d89e0dc906eefaf50ea16b07acb8ed4478fb2b116fcb8a5
SHA5125699485985ea856d8ef3e97372e51c98eb81225c18ab5a851e1d8f574c0c9e77986563ad63e9b2118bd42edac0a39a46727306484be71af485955f9e818502d7
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab20F2A2993791BDD97B003B5578C7EAC7Filesize
2.3MB
MD5951b5426340de231c90e0be2780cc66e
SHA1fd6b966fd3270e53d8b1d660d69d4290b75b8a9d
SHA256afac74f4b16fbefff34daec002a027abab8d45b6113ce1fde320cbf2b8eec68d
SHA512038c0a171079502899366abf1101b173468a1a1997dafe94b6d217e26d5f6fec97e0d38fd4f7a70ef3d410dfdd18b7d93b3954776db3fc7ed9e91211492e0fb2
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab293E212B151FCAC5768C99D66AA8D9AEFilesize
1.8MB
MD5f7bd3fbb5859bd43e830b621c8ade037
SHA171838fa41b8906bdcb9a64eec599dafd25d92c6f
SHA256789ca746d45588380841494901a531abcf7a9a184f74af2cf049a77f489f4dc7
SHA51253dbfde654e6bdaaab257fc3968a50ee7b8e4641bdc739c55ce1697e869ac513a7f2dc72ab92074b062928d56ab6f8083c5fa8a71a16a2f6918cc52f73b81250
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab5DD1590118F3640F385DB3EB2F516E5CFilesize
17.1MB
MD5b8b961c9899ec926b1dd8258b0232626
SHA18ed4a38e4a7c856a427a068ec51539f2e630f86c
SHA256e9c26ae1625eb454e4cd78dd9ac145eeae94190f943b6fc72d250dc3acb703d7
SHA5125dbcdbaf86bb25029838b93fa5787d9833b3ac2e6861b3df405b7957f1e5355395bcc664f4a550d9d79a7d3f7d98ca740527d5a86ecd0bfe0df3e768016f1877
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab66549ACD4EE6139A64068CA8626575A9Filesize
1.5MB
MD5bf193f70c4ba12e12a592df1cdb17b40
SHA1e84a6d1cbcdc79926f7defef1ad4b7a8a651b5cb
SHA256cee91939598abb3ec23ce0dc93c7690421efdca54795997558ef0fc617442a82
SHA51223077213cb84b84096c93da33f3a23bda28bcda638ec3a9256f4ab064d8bf6f1e2860d32e6713716f35803db92fb30c4f07b0b2accccd914d7bcb75910b63d79
-
C:\Windows\Temp\{A390CA37-52AE-4FC3-A889-971A673D3792}\cab8D36E281ACA51D7FBE9AB973BE9B36E3Filesize
174KB
MD50102ec8e3aa2b964f2d7719dd00de809
SHA19a008c6acc5c70c8467621bf4a8e78930e2843a3
SHA256765cdd18ca4b9c8de8f16035ab46f740a9da9e628f24dbfe16800af41fa3122b
SHA512ee4f280449bcceb357290c1970914524fcb30931b240591cee3f540fbfe365a81f5d6201eee9e18598163f9be392062ee8cfcdf16d289c4bc2effa6061e69c94
-
C:\Windows\Temp\{ACD0BFA9-5CC3-47C2-AB6E-2A9470ADFED8}\.ba\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Windows\Temp\{ACD0BFA9-5CC3-47C2-AB6E-2A9470ADFED8}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
C:\Windows\Temp\{BD1B01B0-89EF-47A3-82A5-AD94243ED846}\.cr\PDFXLite10.exeFilesize
1.4MB
MD563ed90cdd501829a2319f8cf86c52bd2
SHA1da198bec49015e98baa5b2cb91903f659e31dd37
SHA256529bcd90e571d51a19396cb457bf7eebecf494613030389fa7c5b25b8e42757f
SHA512d8cc05a5d481e17432125d21d58c2b32696c8b3e6632f911184292a0f0b24910e9dc5cc3ae2bdc6d87e478aef81504aa34520d3bd6813517e4b9347eee0eaa19
-
C:\Windows\Temp\{F3B228E9-267B-451A-97F8-84626EF487CF}\.cr\vc_redist.x86.exeFilesize
632KB
MD586123c033231dd7e427d619ddeefd26a
SHA1608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78
-
memory/364-966-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/364-1027-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/540-18-0x00000000005E0000-0x0000000001076000-memory.dmpFilesize
10.6MB
-
memory/860-1265-0x0000000000F10000-0x0000000002528000-memory.dmpFilesize
22.1MB
-
memory/860-1135-0x0000000000F10000-0x0000000002528000-memory.dmpFilesize
22.1MB
-
memory/860-1761-0x0000000000F10000-0x0000000002528000-memory.dmpFilesize
22.1MB
-
memory/860-1762-0x0000000002BF0000-0x0000000003629000-memory.dmpFilesize
10.2MB
-
memory/860-1757-0x0000000000F10000-0x0000000002528000-memory.dmpFilesize
22.1MB
-
memory/860-1136-0x0000000002BF0000-0x0000000003629000-memory.dmpFilesize
10.2MB
-
memory/860-1033-0x0000000002BF0000-0x0000000003629000-memory.dmpFilesize
10.2MB
-
memory/860-1162-0x0000000000F10000-0x0000000002528000-memory.dmpFilesize
22.1MB
-
memory/1396-1133-0x0000000000250000-0x0000000000CE6000-memory.dmpFilesize
10.6MB
-
memory/1540-22-0x00000000005E0000-0x0000000001076000-memory.dmpFilesize
10.6MB
-
memory/1724-12-0x0000000001680000-0x0000000001681000-memory.dmpFilesize
4KB
-
memory/1724-13-0x00000000005E0000-0x0000000001076000-memory.dmpFilesize
10.6MB
-
memory/2196-1026-0x0000000000400000-0x000000000052C000-memory.dmpFilesize
1.2MB
-
memory/3364-965-0x0000000000250000-0x0000000000CE6000-memory.dmpFilesize
10.6MB
-
memory/3364-716-0x0000000000250000-0x0000000000CE6000-memory.dmpFilesize
10.6MB
-
memory/3408-659-0x0000000000210000-0x00000000009CB000-memory.dmpFilesize
7.7MB
-
memory/3480-35-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-467-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-708-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-6-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-1031-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-185-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-19-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-20-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3480-15-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3608-24-0x00000000005E0000-0x0000000001076000-memory.dmpFilesize
10.6MB
-
memory/3704-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/3704-1032-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3704-0-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3704-14-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3768-558-0x0000000010000000-0x00000000101C8000-memory.dmpFilesize
1.8MB
-
memory/4016-969-0x0000000000250000-0x0000000000CE6000-memory.dmpFilesize
10.6MB
-
memory/4236-660-0x0000000000250000-0x0000000000CE6000-memory.dmpFilesize
10.6MB
-
memory/4372-564-0x0000000000A50000-0x0000000000A58000-memory.dmpFilesize
32KB
-
memory/4760-668-0x0000000005EF0000-0x0000000005EF8000-memory.dmpFilesize
32KB
-
memory/4760-575-0x0000000007620000-0x0000000009B0A000-memory.dmpFilesize
36.9MB
-
memory/4760-661-0x00000000058D0000-0x0000000005E74000-memory.dmpFilesize
5.6MB
-
memory/4760-664-0x0000000005420000-0x00000000054B2000-memory.dmpFilesize
584KB
-
memory/4760-567-0x0000000000630000-0x0000000000642000-memory.dmpFilesize
72KB
-
memory/4760-690-0x00000000064E0000-0x0000000006502000-memory.dmpFilesize
136KB
-
memory/4988-1160-0x00000000008B0000-0x0000000001CF6000-memory.dmpFilesize
20.3MB
-
memory/4988-1161-0x00000000024C0000-0x0000000002EF9000-memory.dmpFilesize
10.2MB
-
memory/4988-1134-0x00000000024C0000-0x0000000002EF9000-memory.dmpFilesize
10.2MB
-
memory/5004-705-0x000002424DA30000-0x000002424DA40000-memory.dmpFilesize
64KB
-
memory/5004-706-0x000002426A590000-0x000002426CA7A000-memory.dmpFilesize
36.9MB
-
memory/5004-709-0x000002424F7A0000-0x000002424F7A8000-memory.dmpFilesize
32KB
-
memory/5004-710-0x000002424F810000-0x000002424F832000-memory.dmpFilesize
136KB
-
memory/5708-1391-0x0000000002100000-0x0000000002B39000-memory.dmpFilesize
10.2MB
-
memory/5708-1764-0x0000000002100000-0x0000000002B39000-memory.dmpFilesize
10.2MB
-
memory/5708-1763-0x00000000008B0000-0x0000000001CF6000-memory.dmpFilesize
20.3MB