df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9

Resubmissions

25-06-2024 14:19

240625-rm6bxsvdkb 6

21-06-2024 15:11

240621-sknjrsygjm 6

17-06-2024 17:09

240617-vn6wmawhlb 10

14-06-2024 13:23

240614-qmxjcawdmm 10

Analysis

max time kernel
497s
max time network
492s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FileCenterSetup12.0.16.0.exe
Size

300.4MB
MD5

123556b83a3dad2f59e76602768e9536
SHA1

b402ded286fff73aaf9b32f075bc32029da6d461
SHA256

df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9
SHA512

bc8dc366b404756a55ab40b66bbcccc8d8b366b0f34938c14324d994118602f0be876eaa61234c18eef7ae4e797789da8dd996f023f0f67c0e053e8022dd3506
SSDEEP

6291456:f7u0oceu41pUlsFqvFyeGCIOo7qgB5Fapf5NN9nAug:T9r4vXi5IOyJmfAx

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FileCenterSetup12.0.16.0.tmpPDFXLite10.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe"	FileCenterSetup12.0.16.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe"	FileCenterSetup12.0.16.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{3780ab31-c524-4f3b-a4db-79d692700a62} = "\"C:\\ProgramData\\Package Cache\\{3780ab31-c524-4f3b-a4db-79d692700a62}\\PDFXLite10.exe\" /burn.runonce"	PDFXLite10.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

MsiExec.exe

description ioc process

File opened for modification C:\Users\Public\Desktop\desktop.ini MsiExec.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 11 IoCs

Processes:

PrnInstaller.exesplwow64.exeprninstaller.exe

description	ioc	process
File created	C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll	PrnInstaller.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll	PrnInstaller.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\pxc50pm.dll	prninstaller.exe
File opened for modification	C:\Windows\system32\pxc50pm.dll	prninstaller.exe
File created	C:\Windows\system32\pxcpmL.dll	PrnInstaller.exe
File opened for modification	C:\Windows\system32\pxcpmL.dll	PrnInstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL	prninstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL	prninstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml	PrnInstaller.exe
File created	C:\Windows\system32\spool\PRINTERS\00003.SPL	splwow64.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpmsiexec.exePDFX5SA_sm.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.barcode.2d.reader.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Tips\is-D4IOJ.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-NPBE3.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-GQDGA.tmp	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterAgent64.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\Separators.exe	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\lbvProt.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-4ME83.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-JR352.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-CC70G.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-31OHJ.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.fy-NL.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-25KSQ.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-R9ON2.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\win32\is-1108P.tmp	PDFX5SA_sm.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsasian215.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.image.gdimgplug.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-SLUCM.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.az-Latn-AZ.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-V3K7E.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-ED32G.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-QN4N1.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-6O15H.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.de-DE.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\DTKBarReader.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-64NU7.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.zh-CN.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsjpeg15.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-T4Q0U.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.da-DK.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.lt-LT.xcl	msiexec.exe
File created	C:\Program Files\Tracker Software\PDF-XChange Lite\Help\PDFXLicense.pdf	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.da-DK.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-15UFJ.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-TRM0E.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Uninstall\FileCenter\unins000.dat	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Tips\is-MU4JT.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-9NORT.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-5U93F.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Drivers\Vault\is-TQG9L.tmp	PDFX5SA_sm.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.barcode.1d.reader.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-78GEJ.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-AMGN1.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Tracker Software\PDF-XChange Lite\titrules.js	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsjpeg2k15.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-G7V86.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-NAA98.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-4VOO2.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.pt-PT.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterAutomate.exe	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Help\fc-automate.chm	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrs15_wrapper.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-PH3S4.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-4OPLV.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-BERSF.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-GAK5A.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-UHU1J.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-VIMHA.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-9QB0N.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-NEUKB.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-O1TS2.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.pt-PT.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.hu-HU.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe	FileCenterSetup12.0.16.0.tmp

Drops file in Windows directory 26 IoCs

Processes:

msiexec.exeWINWORD.EXEDrvInst.exeFileCenter.exePDFXLite10.exeFileCenter.exe

description	ioc	process
File created	C:\Windows\Installer\f77c40f.msi	msiexec.exe
File created	C:\Windows\Installer\f77c40a.msi	msiexec.exe
File created	C:\Windows\Installer\f77c40d.ipi	msiexec.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\Installer\MSI2466.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2477.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2524.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2553.tmp	msiexec.exe
File created	C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f77c40a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2406.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI2456.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2804.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI28A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	FileCenter.exe
File opened for modification	C:\Windows\WindowsUpdate.log	PDFXLite10.exe
File opened for modification	C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2910.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	FileCenter.exe
File opened for modification	C:\Windows\Installer\MSI2426.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f77c40d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23D6.tmp	msiexec.exe

Executes dropped EXE 32 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeGdPictureComReg.exevc_redist.x86.exevc_redist.x86.exeFileCenterAutomateService.exeFileCenterUtils.exePDFXLite10.exePDFXLite10.exePDFXLite10.exeFileCenterUtils.exePDFX5SA_sm.exePDFX5SA_sm.tmpprninstaller.exepdfSaver5.exeXCVault.exePrnInstaller.exeFileCenter.exepdfSaverL.exepdfSaverL.exeFileCenterUtils.exeFileCenterAgent.exeFileCenterAgent.exeFileCenter.exeFileCenter.exeFileCenterAgent.exepdfSaverL.exe

pid	process
2948	FileCenterSetup12.0.16.0.tmp
2944	FileCenterUtils.exe
2160	FileCenterUtils.exe
1944	FileCenterUtils.exe
676	FileCenterUtils.exe
1528	FileCenterUtils.exe
2908	GdPictureComReg.exe
1172	vc_redist.x86.exe
568	vc_redist.x86.exe
1676	FileCenterAutomateService.exe
1684	FileCenterUtils.exe
556	PDFXLite10.exe
1596	PDFXLite10.exe
2972	PDFXLite10.exe
968	FileCenterUtils.exe
1028	PDFX5SA_sm.exe
2068	PDFX5SA_sm.tmp
2144	prninstaller.exe
108
2388	pdfSaver5.exe
788	XCVault.exe
1684	PrnInstaller.exe
2024	FileCenter.exe
2540	pdfSaverL.exe
1820	pdfSaverL.exe
316	FileCenterUtils.exe
2896	FileCenterAgent.exe
2700	FileCenterAgent.exe
1436	FileCenter.exe
3388	FileCenter.exe
3800	FileCenterAgent.exe
3104	pdfSaverL.exe

Loads dropped DLL 64 IoCs

Processes:

FileCenterSetup12.0.16.0.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exevc_redist.x86.exevc_redist.x86.exeregasm.exeFileCenterUtils.exePDFXLite10.exePDFXLite10.exeFileCenterUtils.exePDFX5SA_sm.exePDFX5SA_sm.tmpMsiExec.exemsiexec.exeMsiExec.exe

pid	process
2244	FileCenterSetup12.0.16.0.exe
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
1528	FileCenterUtils.exe
2572	regsvr32.exe
2368	regsvr32.exe
1484	regsvr32.exe
1076	regsvr32.exe
2580	regsvr32.exe
1852	regsvr32.exe
2580	regsvr32.exe
1528	FileCenterUtils.exe
1172	vc_redist.x86.exe
1528	FileCenterUtils.exe
568	vc_redist.x86.exe
2612	regasm.exe
2612	regasm.exe
2612	regasm.exe
2612	regasm.exe
1684	FileCenterUtils.exe
556	PDFXLite10.exe
1596	PDFXLite10.exe
1596	PDFXLite10.exe
968	FileCenterUtils.exe
1028	PDFX5SA_sm.exe
2068	PDFX5SA_sm.tmp
2068	PDFX5SA_sm.tmp
2068	PDFX5SA_sm.tmp
2068	PDFX5SA_sm.tmp
108
108
108
108
108
108
108
108
108
2068	PDFX5SA_sm.tmp
2068	PDFX5SA_sm.tmp
2196	MsiExec.exe
2196	MsiExec.exe
2196	MsiExec.exe
2196	MsiExec.exe
2196	MsiExec.exe
2196	MsiExec.exe
2196	MsiExec.exe
1656	msiexec.exe
872	MsiExec.exe
108
108
108
108
108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 35 IoCs

evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exe

pid	process
1448	TASKKILL.exe
2912	TASKKILL.exe
2976	TASKKILL.exe
3544	TASKKILL.exe
3588	TASKKILL.exe
620	TASKKILL.exe
292	TASKKILL.exe
1684	TASKKILL.exe
3936	TASKKILL.exe
3040	TASKKILL.exe
2220	TASKKILL.exe
2328	TASKKILL.exe
1444	TASKKILL.exe
1800	TASKKILL.exe
3636	TASKKILL.exe
3732	TASKKILL.exe
1552	TASKKILL.exe
1672	TASKKILL.exe
3684	TASKKILL.exe
2580	TASKKILL.exe
3480	TASKKILL.exe
3764	TASKKILL.exe
2896	TASKKILL.exe
1172	TASKKILL.exe
1692	TASKKILL.exe
2020	TASKKILL.exe
2568	TASKKILL.exe
2844	TASKKILL.exe
1616	TASKKILL.exe
1948	TASKKILL.exe
2492	TASKKILL.exe
1972	TASKKILL.exe
620	TASKKILL.exe
1752	TASKKILL.exe
1852	TASKKILL.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

PDFX5SA_sm.tmpWINWORD.EXEmsiexec.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\"	PDFX5SA_sm.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3"	PDFX5SA_sm.tmp
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe"	PDFX5SA_sm.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D2153571-32FE-11EF-8C89-6200E4292AD7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}	PDFX5SA_sm.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 64 IoCs

Processes:

regasm.exeregasm.exemsiexec.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BC001CE9-30A4-3F95-A04C-A6DA2627FC38}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14587E1E-35FA-4716-AE19-A18E355EFA17}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C479FC7-3BFF-3614-A06B-813AB8EE540B}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CD3078EF-751B-38CA-B0C6-61D24C9C2481}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1A4B2A31-5192-353E-BD93-76DEE87DB99E}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\399D81368EB14EB49B9E6DFBDE110A17\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E18E8434-3DF3-4A20-BFDC-F1F5272F162E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{56225B1E-28FE-3242-8ADB-69C8509D8CF9}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{76F6C77B-0FFF-43F5-8DE3-0715163D80DD}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{684FA90B-67D2-396E-8FC9-BC56810A75A6}\TypeLib\Version = "e.2"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{607DAA74-906B-3146-999C-F4688F1E354D}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00A6C0B2-9F12-3145-BBA5-DC5D71A5963B}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8DF8461E-52D3-4E37-8AF6-3B5C1F6F7E87}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FBF7619D-DEB5-4F9E-9E15-3F26E28028AE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5033D8D5-1C10-3359-B2AE-5B1B28D1A0BD}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{697DF029-B24E-11D3-B57C-00105AA461D0}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\TypeLib\ = "{11549FE4-7C5A-4C17-9FC3-56FC5162A994}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E31522CE-AB58-45E5-95CC-D51B4429C8EB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{29A02EF5-5573-44CA-B272-D8AD94ABFA08}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BA216B3-0CCA-39E5-B68B-F4F943B65D9D}\ProgId	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{539F514E-E675-4BE1-86DC-1E5A8E904636}\ProxyStubClsid32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D9725FB-C4AE-3241-87C2-74EB5AEF08C5}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{50B4C2D7-BD1F-3AA0-B81F-8C1054BC813E}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B27E7FF-6279-49DA-AE6B-8E13AD665B1F}\ = "IPXV_DocContentsChangesInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BC001CE9-30A4-3F95-A04C-A6DA2627FC38}\14.2.69.0	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A465612A-8B6C-3EF5-8383-C5B1BE1069C2}\14.2.69.0\Class = "GdPicture14.PDFReducerWarningStatus"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8A9B284A-20AF-3F0A-8FA2-EF5D78E72A18}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{097275F3-B4E1-4219-97B2-8E1B17C5E4EE}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B1CB5B5-8FC9-426B-B0D0-42BCADFE3935}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0DF179B8-96F1-4F3E-9338-DFEEB61B810A}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2AC35BF5-05D2-4612-8B13-208CD612E587}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0AAB4D6-161B-4ED0-8BA2-BDD15BF79C47}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CA1B8DF0-AE6C-328D-9BB5-B6197DFDF275}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\399D81368EB14EB49B9E6DFBDE110A17\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{620F501F-DA83-36AE-9BDA-0977D76DDDD0}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DAF696B5-9F99-3DC4-A568-B94A5AFC7420}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{22186E95-F2BB-3912-9117-D8DD363CB718}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D615A9E-73D4-4FEF-A0DA-6973C26C17B2}\TypeLib\ = "{A967E5C4-B0E1-11D3-B57C-00105AA461D0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2AC35BF5-05D2-4612-8B13-208CD612E587}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EB96FB4-C2A5-43B6-BC92-7E1AEA8D9E88}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B148BBD-F357-4166-A073-16B44503B6AC}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{03EE6E3C-9F78-4EAE-BB91-5DB4D5D95CA7}\ProxyStubClsid32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A79755A3-8507-48EE-A616-611BB01CF94B}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C9E52549-FC4C-33F9-99DE-61302E5F2E47}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D23929B4-7749-3229-A34D-663492DD2584}\14.2.69.0\Class = "GdPicture14.ViewerDocumentAlignment"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dtSearchEngine6.SearchFilter\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F873C3E-938E-4BB2-85B8-0700BACCF229}\TypeLib\ = "{097275F3-B4E1-4219-97B2-8E1B17C5E4EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91F594C1-7C1A-465D-BC9C-004E2FD7C6C4}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC12C51-E255-427D-8385-10304C887256}\ = "IPXV_DocSaveEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17AA9FC1-A869-38F0-A7FF-A720437AD51D}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C514BAF9-7532-33E9-9198-CDDC695B414B}\14.2.69.0\Class = "GdPicture14.PdfTextDecorationStyle"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E29B77EC-A750-3185-9133-497AD8BAD74F}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{607DAA74-906B-3146-999C-F4688F1E354D}\TypeLib	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dtSearchEngine6.SearchFilter.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CCBAA52-8111-4806-B7EA-E0672F8382CD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A018E70A-4E56-44ED-8E14-BB82ED650C38}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A018E70A-4E56-44ED-8E14-BB82ED650C38}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CC0D923-B9ED-310C-B453-D1A59F25712C}\InprocServer32\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{87B7522A-0E70-3527-85B7-1941F36D955D}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{063E51BB-4D88-3B05-9A50-D54BE70E6F64}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E18E8434-3DF3-4A20-BFDC-F1F5272F162E}\ = "IBitSet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CD00BD8-331B-42A2-AEFB-B5F031FD69A1}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

1564 WINWORD.EXE
3040 WINWORD.EXE

pid	process
1564	WINWORD.EXE
3040	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

FileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeregsvr32.exeFileCenterAutomateService.exeFileCenterUtils.exeFileCenterUtils.exePDFX5SA_sm.tmpmsiexec.exeMsiExec.exeFileCenter.exeFileCenterUtils.exeFileCenterAgent.exeFileCenterAgent.exeFileCenter.exeFileCenter.exeFileCenterAgent.exechrome.exe

pid	process
2944	FileCenterUtils.exe
2944	FileCenterUtils.exe
2160	FileCenterUtils.exe
2160	FileCenterUtils.exe
1944	FileCenterUtils.exe
1944	FileCenterUtils.exe
2948	FileCenterSetup12.0.16.0.tmp
2948	FileCenterSetup12.0.16.0.tmp
676	FileCenterUtils.exe
676	FileCenterUtils.exe
1528	FileCenterUtils.exe
1528	FileCenterUtils.exe
2580	regsvr32.exe
2580	regsvr32.exe
1676	FileCenterAutomateService.exe
1676	FileCenterAutomateService.exe
1684	FileCenterUtils.exe
1684	FileCenterUtils.exe
968	FileCenterUtils.exe
968	FileCenterUtils.exe
2068	PDFX5SA_sm.tmp
2068	PDFX5SA_sm.tmp
1656	msiexec.exe
1656	msiexec.exe
2196	MsiExec.exe
2196	MsiExec.exe
2024	FileCenter.exe
2024	FileCenter.exe
316	FileCenterUtils.exe
316	FileCenterUtils.exe
2896	FileCenterAgent.exe
2896	FileCenterAgent.exe
2700	FileCenterAgent.exe
2700	FileCenterAgent.exe
1436	FileCenter.exe
1436	FileCenter.exe
3388	FileCenter.exe
3388	FileCenter.exe
3800	FileCenterAgent.exe
3800	FileCenterAgent.exe
4008	chrome.exe
4008	chrome.exe

Suspicious behavior: SetClipboardViewer 13 IoCs

Processes:

FileCenter.exeFileCenterAgent.exeFileCenterAgent.exeFileCenter.exe

pid	process
2024	FileCenter.exe
2024	FileCenter.exe
2024	FileCenter.exe
2024	FileCenter.exe
2896	FileCenterAgent.exe
2896	FileCenterAgent.exe
2700	FileCenterAgent.exe
2700	FileCenterAgent.exe
3388	FileCenter.exe
3388	FileCenter.exe
3388	FileCenter.exe
3388	FileCenter.exe
3388	FileCenter.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1948	TASKKILL.exe
Token: SeDebugPrivilege	1672	TASKKILL.exe
Token: SeDebugPrivilege	3040	TASKKILL.exe
Token: SeDebugPrivilege	1616	TASKKILL.exe
Token: SeDebugPrivilege	2896	TASKKILL.exe
Token: SeDebugPrivilege	1552	TASKKILL.exe
Token: SeDebugPrivilege	620	TASKKILL.exe
Token: SeDebugPrivilege	292	TASKKILL.exe
Token: SeDebugPrivilege	2020	TASKKILL.exe
Token: SeDebugPrivilege	2912	TASKKILL.exe
Token: SeDebugPrivilege	2492	TASKKILL.exe
Token: SeDebugPrivilege	1448	TASKKILL.exe
Token: SeDebugPrivilege	2220	TASKKILL.exe
Token: SeDebugPrivilege	2976	TASKKILL.exe
Token: SeBackupPrivilege	2632	vssvc.exe
Token: SeRestorePrivilege	2632	vssvc.exe
Token: SeAuditPrivilege	2632	vssvc.exe
Token: SeRestorePrivilege	824	DrvInst.exe
Token: SeRestorePrivilege	824	DrvInst.exe
Token: SeRestorePrivilege	824	DrvInst.exe
Token: SeRestorePrivilege	824	DrvInst.exe
Token: SeRestorePrivilege	824	DrvInst.exe
Token: SeRestorePrivilege	824	DrvInst.exe
Token: SeRestorePrivilege	824	DrvInst.exe
Token: SeLoadDriverPrivilege	824	DrvInst.exe
Token: SeLoadDriverPrivilege	824	DrvInst.exe
Token: SeLoadDriverPrivilege	824	DrvInst.exe
Token: SeShutdownPrivilege	2972	PDFXLite10.exe
Token: SeIncreaseQuotaPrivilege	2972	PDFXLite10.exe
Token: SeRestorePrivilege	1656	msiexec.exe
Token: SeTakeOwnershipPrivilege	1656	msiexec.exe
Token: SeSecurityPrivilege	1656	msiexec.exe
Token: SeCreateTokenPrivilege	2972	PDFXLite10.exe
Token: SeAssignPrimaryTokenPrivilege	2972	PDFXLite10.exe
Token: SeLockMemoryPrivilege	2972	PDFXLite10.exe
Token: SeIncreaseQuotaPrivilege	2972	PDFXLite10.exe
Token: SeMachineAccountPrivilege	2972	PDFXLite10.exe
Token: SeTcbPrivilege	2972	PDFXLite10.exe
Token: SeSecurityPrivilege	2972	PDFXLite10.exe
Token: SeTakeOwnershipPrivilege	2972	PDFXLite10.exe
Token: SeLoadDriverPrivilege	2972	PDFXLite10.exe
Token: SeSystemProfilePrivilege	2972	PDFXLite10.exe
Token: SeSystemtimePrivilege	2972	PDFXLite10.exe
Token: SeProfSingleProcessPrivilege	2972	PDFXLite10.exe
Token: SeIncBasePriorityPrivilege	2972	PDFXLite10.exe
Token: SeCreatePagefilePrivilege	2972	PDFXLite10.exe
Token: SeCreatePermanentPrivilege	2972	PDFXLite10.exe
Token: SeBackupPrivilege	2972	PDFXLite10.exe
Token: SeRestorePrivilege	2972	PDFXLite10.exe
Token: SeShutdownPrivilege	2972	PDFXLite10.exe
Token: SeDebugPrivilege	2972	PDFXLite10.exe
Token: SeAuditPrivilege	2972	PDFXLite10.exe
Token: SeSystemEnvironmentPrivilege	2972	PDFXLite10.exe
Token: SeChangeNotifyPrivilege	2972	PDFXLite10.exe
Token: SeRemoteShutdownPrivilege	2972	PDFXLite10.exe
Token: SeUndockPrivilege	2972	PDFXLite10.exe
Token: SeSyncAgentPrivilege	2972	PDFXLite10.exe
Token: SeEnableDelegationPrivilege	2972	PDFXLite10.exe
Token: SeManageVolumePrivilege	2972	PDFXLite10.exe
Token: SeImpersonatePrivilege	2972	PDFXLite10.exe
Token: SeCreateGlobalPrivilege	2972	PDFXLite10.exe
Token: SeRestorePrivilege	1656	msiexec.exe
Token: SeTakeOwnershipPrivilege	1656	msiexec.exe
Token: SeRestorePrivilege	1656	msiexec.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpPDFX5SA_sm.tmpFileCenterAgent.exeiexplore.exeFileCenterAgent.exechrome.exepdfSaverL.exeFileCenter.exe

pid	process
2948	FileCenterSetup12.0.16.0.tmp
2068	PDFX5SA_sm.tmp
2068	PDFX5SA_sm.tmp
2896	FileCenterAgent.exe
2896	FileCenterAgent.exe
2440	iexplore.exe
2700	FileCenterAgent.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
3104	pdfSaverL.exe
3104	pdfSaverL.exe
3104	pdfSaverL.exe
3388	FileCenter.exe

Suspicious use of SendNotifyMessage 38 IoCs

Processes:

FileCenterAgent.exeFileCenterAgent.exechrome.exepdfSaverL.exe

pid	process
2896	FileCenterAgent.exe
2896	FileCenterAgent.exe
2700	FileCenterAgent.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
4008	chrome.exe
3104	pdfSaverL.exe
3104	pdfSaverL.exe
3104	pdfSaverL.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

FileCenter.exeFileCenterAgent.exeiexplore.exeIEXPLORE.EXEFileCenterAgent.exeFileCenter.exeFileCenter.exeFileCenterAgent.exeWINWORD.EXEWINWORD.EXEpdfSaverL.exe

pid	process
2024	FileCenter.exe
2024	FileCenter.exe
2024	FileCenter.exe
2896	FileCenterAgent.exe
2440	iexplore.exe
2440	iexplore.exe
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
2700	FileCenterAgent.exe
1436	FileCenter.exe
3388	FileCenter.exe
3388	FileCenter.exe
3388	FileCenter.exe
3800	FileCenterAgent.exe
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
1564	WINWORD.EXE
3040	WINWORD.EXE
3040	WINWORD.EXE
3104	pdfSaverL.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FileCenterSetup12.0.16.0.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exe

description	pid	process	target process
PID 2244 wrote to memory of 2948	2244	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2244 wrote to memory of 2948	2244	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2244 wrote to memory of 2948	2244	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2244 wrote to memory of 2948	2244	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2244 wrote to memory of 2948	2244	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2244 wrote to memory of 2948	2244	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2244 wrote to memory of 2948	2244	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2948 wrote to memory of 2944	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 2944	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 2944	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 2944	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 2160	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 2160	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 2160	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 2160	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 1944	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 1944	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 1944	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 1944	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 1944 wrote to memory of 620	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 620	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 620	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 620	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1616	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1616	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1616	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1616	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 3040	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 3040	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 3040	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 3040	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1552	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1552	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1552	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1552	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1672	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1672	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1672	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1672	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 2896	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 2896	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 2896	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 2896	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1948	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1948	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1948	1944	FileCenterUtils.exe	TASKKILL.exe
PID 1944 wrote to memory of 1948	1944	FileCenterUtils.exe	TASKKILL.exe
PID 2948 wrote to memory of 676	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 676	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 676	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2948 wrote to memory of 676	2948	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 676 wrote to memory of 292	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 292	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 292	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 292	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 2976	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 2976	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 2976	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 2976	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 2492	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 2492	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 2492	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 2492	676	FileCenterUtils.exe	TASKKILL.exe
PID 676 wrote to memory of 2912	676	FileCenterUtils.exe	TASKKILL.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\is-18HER.tmp\FileCenterSetup12.0.16.0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-18HER.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$400B2,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtilsInfo.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtilsInfo.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2160

C:\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtils.exe" -CLOSEALL
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterPortal.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReceipts.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReports.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtils.exe" -INSTBEG
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterPortal.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReceipts.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReports.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1852

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe
"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent
4⤵
- Executes dropped EXE
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb
5⤵
- Loads dropped DLL
- Modifies registry class
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb
5⤵
- Modifies registry class
PID:2196

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2572

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"
4⤵
- Loads dropped DLL
PID:1484

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2368

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1076

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe
"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172

C:\Windows\Temp\{6DA8EC1C-F029-4684-8D80-A1D70816A7DE}\.cr\vc_redist.x86.exe
"C:\Windows\Temp\{6DA8EC1C-F029-4684-8D80-A1D70816A7DE}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556

C:\Windows\Temp\{7AB6B2FC-A6AB-42BF-B726-C4A314B38F2B}\.cr\PDFXLite10.exe
"C:\Windows\Temp\{7AB6B2FC-A6AB-42BF-B726-C4A314B38F2B}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596

C:\Windows\Temp\{B8785585-5D21-4503-9B56-0D5CE82754F9}\.be\PDFXLite10.exe
"C:\Windows\Temp\{B8785585-5D21-4503-9B56-0D5CE82754F9}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{59900D54-F2AA-469A-B4D7-1C29122D04B4} {991BC7ED-CBA4-449D-8DA1-0FDF4ED443A6} 1596
6⤵
- Adds Run key to start application
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028

C:\Users\Admin\AppData\Local\Temp\is-L9SMV.tmp\PDFX5SA_sm.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L9SMV.tmp\PDFX5SA_sm.tmp" /SL5="$6020C,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"
5⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2068

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "
6⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:2144

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer
6⤵
- Executes dropped EXE
PID:2388

C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe
"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install
6⤵
- Executes dropped EXE
PID:788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "0000000000000574"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 1C1205C4768EDBB732F84686817D71C2
2⤵
- Drops desktop.ini file(s)
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 91B2E989F4FCDFDCD0A12253DF994FA5 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:872

C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"
2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:1684

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"
2⤵
- Executes dropped EXE
PID:2540

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"
2⤵
- Executes dropped EXE
PID:1820

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1444

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1172

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:620

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1684

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -OLOFF
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
2⤵
- Kills process with taskkill
PID:2568

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
2⤵
- Kills process with taskkill
PID:1752

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.filecenter.com/action.php?Action=Welcome&Refresh=1&ProductKey=&KeyID=-1&PTID=1&SourceID=-1&CustomID=-1&VerID=-1&PartnerID=0&WelcomeID=0&Version=12.0.16.0&CN=PUMARTNR&UN=Admin&Trial=0&DaysLeft=0&s=&cnt1=&cnt2=&cnt3=&cnt4=&cnt5=&cnt6=&cnt7=&cnt8=&cnt9=&x=1235
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1692

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1800

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1852

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:1972

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2328

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2580

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
2⤵
- Kills process with taskkill
PID:2844

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3480

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3544

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3588

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3636

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
2⤵
- Kills process with taskkill
PID:3684

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3732

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3764

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3800

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef67b9758,0x7fef67b9768,0x7fef67b9778
2⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:2
2⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:8
2⤵
PID:1132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:8
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2240 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:1
2⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2356 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:1
2⤵
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1480 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:2
2⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1460 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:1
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3224 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:8
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3476 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:1
2⤵
PID:864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3248 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:1
2⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2980 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:1
2⤵
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3548 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:1
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2948 --field-trial-handle=1196,i,3647607381627150116,6781156639131274547,131072 /prefetch:1
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2596

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\EnterWrite.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:2712

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\New Microsoft Word Document.docx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77c40e.rbs
Filesize
35KB

MD5
978a1601fa71cf53e02a5574dd88bc60

SHA1
fd49dd8d11ccf4e78bd64d39431b0b433be8784c

SHA256
13bdce262c947e27d65fe3727ffd8817f163f6edb521b99c546c378dcff474d2

SHA512
9aceb22d4ffa5fd9863cd7a042e2ba95ee53a57bbdc932b358ef00a98da3843c832a7f2421fd0924d77c9a62e082ec0546fb18757be9aa9b7f90199363fa1dbd

Download Submit
C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll
Filesize
593KB

MD5
2fbf69d014ae135d473ec8243d44be9e

SHA1
2c28d3b23d8ff061ae554ccd92aec93900e3cb2b

SHA256
6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3

SHA512
530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

Download Submit
C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\unins000.exe
Filesize
1.1MB

MD5
fa3f6d3bed7348ac3f45fde9e4ded1e4

SHA1
fdbf41b865e6a697142e8a2beb975ee728c41585

SHA256
3dbf88889ad9e347ac3fe93ec6f5d3771eff1fc2de39f8d7b3df9263a76b651e

SHA512
ed3d9fde7060b138b838ecc47969e601872b6a9541a39e24fbe7b56e1a68e414a93d9de187331d4dbf02430d4165c36ae2b167457e8ee90c59796ba7da972524

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini
Filesize
27B

MD5
70da425f8aac14b1484047edb83e60e8

SHA1
69d09199af5a5ba4ed4e1d59432fec784d5271e4

SHA256
258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f

SHA512
a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

Download Submit
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll
Filesize
36.9MB

MD5
d9806fd0eeafd9f89e0473ad52889283

SHA1
d6fca558897aaa6703129557e2d02b1a84765dcb

SHA256
aa2aafe588aecd1a10bf05dcd675143061a55bcd5bc83bd749bde7b85d21dbc6

SHA512
796c609dc6fa4c6fe1e6909ae3a4a22cc06c900f34b999d77a9805767f69f1b1d96a99e9ee03ad6ab68e7f6bb5fa3269c1d73db4af68a2834bfd5cbf2fe91422

Download Submit
C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe
Filesize
13.6MB

MD5
35b40b21383ac38487ceec8ab6e53565

SHA1
59894bd9c96361b475c3b4b7ca9719c72e813d04

SHA256
caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec

SHA512
3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

Download Submit
C:\ProgramData\FileCenter\ColumnStatesCab.ini
Filesize
5KB

MD5
3c78191be09b4a0cbad92cfeb1218759

SHA1
26ac00f02d2e39cba573e908adab29332fdf2d74

SHA256
e089ca10bb421f8d22fcd5a547fa2f491235c009ee27e0b4542d692a16d2c232

SHA512
ee6f21932a0d63854d6cd1bc2c8abb60463060ceb62aecf1133f51a3b1198ae520d64363f819402060c768611b62b48f9eb9e1baeeefc4e653b257b086316443

Download Submit
C:\ProgramData\FileCenter\Config.ini
Filesize
42B

MD5
4a2b0b2d8d08db9fcc6eae2e25c9b4d1

SHA1
bcbd9242fe7ad0afabb143453d732657cfc79ede

SHA256
70bc9116d9db8cee6aaf87d19d323fc4961f90116b9a61281a981a461505974e

SHA512
5dc550410f15e4f64e637f61d8b6b09024b7502202ddd346463ac05b962d9bd6c3aecce6b85e089ca53184e99753cb2b137fae9ea26334d8044a0266742f6826

Download Submit
C:\ProgramData\FileCenter\Config.ini
Filesize
23B

MD5
b2ad8f8dcc45644ea167317d050faac4

SHA1
215091d6ad9d4f210b85e675b17c60a7300ca9b1

SHA256
9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0

SHA512
528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

Download Submit
C:\ProgramData\FileCenter\Intercepts.ini
Filesize
6KB

MD5
293bfe23c32bd1332e4caf09e9bb347d

SHA1
1777f80e58dcc9b37cf87d73a4680723c7b87461

SHA256
3f6dd37419d2c2075812e0a104d0603d78a5cf1b378154e8d71c30c37de84264

SHA512
0ec00fc8b45d2fa205be404a37546772919f891d439e336dd601c0961355dd9afdbae983c254a9760207ea15b7b446b7b9d90ad93f7b938aeb74e838204be194

Download Submit
C:\ProgramData\FileCenter\MRUPDFEditor.ini
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\ProgramData\FileCenter\MyPortal.ini
Filesize
26B

MD5
8af40c2a9db1af603163ed8b0e25a3d0

SHA1
36db1a9baec9e7d6d17073529afff9df063e68d9

SHA256
64b92b073e9519d07676100c694c63207f45b561ce66594b8728eae023ba0705

SHA512
2662a09e1cd148cbb4ee1124e4fdac6561699f447c986992651ff8fb8e7d005803b74ce5c1bb65c6f916ab1407894fabd453735c10378a94d5c918b1fe66688d

Download Submit
C:\ProgramData\FileCenter\Packages.ini
Filesize
194B

MD5
cc64ef17e686ca21c5c9b1faabf2cf86

SHA1
8b61a362fa60ca12b1b902c337b37ac3ce52ed8f

SHA256
cacee38c680edc0b5ea6f66cd19e36cd462a32a81599ce5cfee2ac7e9a602f57

SHA512
3b4705e104a15bc08e1f9d70a19d18e91b3a1ac7b5541880ab38da1a4052e24bf687e2eed27e85cdc0dd98f9229a208c2eaa3a1fa14e750dad4036251d94f9da

Download Submit
C:\ProgramData\FileCenter\Settings\HUBData_Lock.tmp
Filesize
14B

MD5
724deba0ee02aa7ad576295d784b1230

SHA1
f4f36556c9babc24a278f5f2ddcce4bff6a64bc7

SHA256
a98ebebe7123b54822d1250f6264dd8d971e47d5cc718fac967d2dd2374365ac

SHA512
3855cea9f71c3905baa510a42cf397da2b9f4f27cd071246e72911e646d6f5ba93fb120cb1a2f4d3e6a73d3d5ec40afc6dfbfb9e495e9bb9a2296930b1702239

Download Submit
C:\ProgramData\FileCenter\Settings\User-Cabinets.txt
Filesize
246B

MD5
e75e989f725e7e48cc820f5c7af486c8

SHA1
f5c40c243e210f729f2c32ffe93726e2f5c5a013

SHA256
67bfb8f9801b296d6fcb68cc41080dc07317817e7085c3ad2c7534770e5dadb9

SHA512
08846020c4176b0db7b72abcaa1ff16af5c33ee8a00dc4577abfe99546a509696e56dfa79da372fd5a80689486ecafbb074f12bed9f77fae548111cfe17f53f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
a935830c46c99084b539ebb72879424d

SHA1
e3817fef3261a00f9cab542fc387812e3a47f728

SHA256
51ff5acda27a73dd1ed1d33c52ed56a3c38de926907ab1a5fc585bca81cdaf88

SHA512
b3f258251548e1503ba9b25c21749fe575adc979d08f0fa4cae19a99961ef24a511a971aba4feaf158a05e599b82d57a330aec8ce8067e923667c93c19659736

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
140KB

MD5
d97aa7b23f1ed15894a2853ffdad84d5

SHA1
b2e8e52dde0ac90a9da84920474c8c69fca09fab

SHA256
d5bb523cad7cbfad6ea9af1ea95954cc4c37ee25eeb3ddc8327607de125c78f5

SHA512
2c4426c26b6aa28d45182d651804ccd7e3843aa777fe18f383d88ffdb84a9eca375fc45b19decba728c35177463f0aa4d602b7fb20f4854f3bc7ea733bdb5527

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c3288cdb-b6e1-4a93-a1ab-b61b2d179ad2.tmp
Filesize
140KB

MD5
39216221f8ca7753341308ce4ec4e43d

SHA1
99a0d394874ccef85dd5b67bd60edcdc8f449fe0

SHA256
1b063d0d3f02bdd70d00152fe1cbf065d6e4fbd3bc94ec68bf638ec207226a04

SHA512
f7180c12825618384e679a4b1ef28683d97e90a9b11865b1de79341b16c9b6bad01e0ce4054f731817d8dca31c915cf4e005638552671add5c8ecf24d190d6b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc
Filesize
1024KB

MD5
8dd498cd953de154a813a1fd0ede54b7

SHA1
9c9917190877ec574427a71f0ff3b71b11e1642e

SHA256
603f181dbb3affdb7ecb331b9dcece5759b49848cab524cce678d1ed53dc6c28

SHA512
825a5b2f0754be0e094e64c6e1bfae653dc67733e31b93409e70f4d3f1675931dbe78b118b7cd9ac87f1daefbd3227e99221607a6d86bb530fd4ad4e390637ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC46A.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF3B7.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\prnInstaller.log
Filesize
692B

MD5
39d1099c5c508cd9047324dd828ae547

SHA1
22139d9ee692f5ecaf95de8aafe8573712d7c426

SHA256
66f04dcba4dbe547acc24d03d0efa1505009597cd1d9a6a8f9439ff384ccc81b

SHA512
6df4e672bf357d1bc85654e1e35e7cf656e8361baec175de33e813aa7c21b2073b65e257f435e1fc51c516a6a6bf8e2676729f9853e603a3ae647118d8fd4a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\prnInstaller.log
Filesize
1KB

MD5
632a697f9db2e5f4236200d7a74ff402

SHA1
25ab97646150d322e309e593aa13fb62973f4afa

SHA256
d16af805ecb046ebc007eb7206e9eb57b6b454f3c55620338457390a6224f2ef

SHA512
475c0f43aa1eb50cfe4cdede0887e34ad6198832c54dc6c5f60c47d2d7d17f5d6cc4e34d276a7e32b0f58837f5e0f32dd9ec3c9399ec0fb0038a63578b816b84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
62B

MD5
3423fc30fa76b1d5a232b1094b06c1bb

SHA1
630acd3395c3eede942be87868a9fd3932346aa9

SHA256
b8fbc606b16cdfb92bafe0d3adbb5a2990caddca46be07d9c306ba16776df060

SHA512
420785c763b24406528a71cf99bb1aed7faaf876695dec297960d773606db036dc988d07ab7c191940162efd6e3cb604ffb1cbea811da3c33d3c8a5ca8eb7efa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
167B

MD5
8dfdee6ce769435ae6d91b21bea7c104

SHA1
222033ed7f32cce2d7743b4a955f49c9c52890db

SHA256
8608526e9683329208d46c632f064edf86b78e0ce503359edaa3f7f5cf6586a1

SHA512
f821c2aa4c33d8d7e043c5ec9da6b046ca4e47c054650df130e6d3b55ce4ca21bbfea654f265a6502e3ff4b0b0c4ae83257401d84614ba5fc9ef294c0b14fb55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
fd1748f1490ea1a080cbf12d0d07302d

SHA1
97d43a526f9a909b4b396e9fa449f90a870d878b

SHA256
c664e87c76476df687eed74780e856a7c4800994eaef28bacf98380867f7fe94

SHA512
e3a73ae3b7424df40ce994299069e9d3e33bb4151613ab758b7f03ed795624b5f8051fd75f5910e3685ffcb05a41b28489ff1f7b07d65f900b3700df2a61ac1f

Download Submit
C:\Windows\Installer\MSI2426.tmp
Filesize
1.3MB

MD5
5a36339a5bae618a2ef09d0adab0b602

SHA1
437d251abdcfe4f9379c44336ff5b920df7a0fbf

SHA256
2e1d52eec9169247f75b584f874617ea4702cf2fdf92a4306d84c354a0151674

SHA512
cff119e5b719c8578d199b946fc213074d89195d63bf6cf00dc2c255cc66695d0062da2e916a22d4df4c1bb1e195f69df21c463d144ad9442defe7b3033ead2a

Download Submit
C:\Windows\Installer\f77c40a.msi
Filesize
2.6MB

MD5
e91e50fc80f7d84561db5823595e5b63

SHA1
b3e40b17a668586e86f346e9a7e3b8ef4838d437

SHA256
3203656dcafaf1ae128dae78bab26829bf0c2c9e1c255a8ca15ed176651d8948

SHA512
c9bb45c0882af7a2f5b6294fa2c29202ac529a6f1584e763a00c4812782f8274498a9c008ef0901dd67d895fd448e0eeb19a75cfe98bcd4c050c8856f97e5034

Download Submit
C:\Windows\Temp\{7AB6B2FC-A6AB-42BF-B726-C4A314B38F2B}\.cr\PDFXLite10.exe
Filesize
1.4MB

MD5
63ed90cdd501829a2319f8cf86c52bd2

SHA1
da198bec49015e98baa5b2cb91903f659e31dd37

SHA256
529bcd90e571d51a19396cb457bf7eebecf494613030389fa7c5b25b8e42757f

SHA512
d8cc05a5d481e17432125d21d58c2b32696c8b3e6632f911184292a0f0b24910e9dc5cc3ae2bdc6d87e478aef81504aa34520d3bd6813517e4b9347eee0eaa19

Download Submit
C:\Windows\Temp\{AA693759-8FAD-44CF-BBC2-A4CDD9917794}\.ba\logo.png
Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{B8785585-5D21-4503-9B56-0D5CE82754F9}\.ba\logo.png
Filesize
5KB

MD5
04967ef5107480ea36b3e2e97af7eb7a

SHA1
6efdd4484dcfcfd45b3c887c852f0abb1a02a645

SHA256
63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21

SHA512
00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe
Filesize
40.5MB

MD5
4c61ee01d5b84db67c38c10d3f210f39

SHA1
844eab66505dc4eb88dec70c3f20307365c350ac

SHA256
a7e10bda5cb2e1c347b2ee682385fd56ff5da05c659c665abc0b526f639a5583

SHA512
a44a2bd871c9f0f654b0e627accc9d4388390e5e5b7326a3372a103886d74b89ab78e235e1b986da9acf0f08fdf45b642ec26000bbe32de92a44b1978f4c2f80

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenter.exe
Filesize
20.1MB

MD5
879d5b401a73cc57a3166ba01ce70c60

SHA1
ee8b47af48514a3b65f4ee838c95e7a3a64d3434

SHA256
82da544c9d730c17c34a253c29fd7d621e8cdc064e0220c27e43bb0dd60c4ebe

SHA512
6e49343acca8ab878b4cf9e12ce4d796decd7f44c7068f8d90f5ad2eebbab31c15c82bbf66bcb571120a9bf8e375055558308d00b66053591c6ec94fb514b3b6

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll
Filesize
13.0MB

MD5
2b9bbd88d6b6a3b7c417cbb0eae69bf4

SHA1
c43ab9fa5c1085ba21280d143f8b8322d6a93883

SHA256
1e5f8dbd4c08faf3a0a84b6af17454d9d21459618b411696b9604af80ee9fc0f

SHA512
f07ae3e76066960a3b657146b83da724ca13873edd82d7314d048593c3e6021ced3297459d46a30daf95189631bfd4c941e44d91433549dcc70efb5407543a30

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterAdmin.exe
Filesize
15.2MB

MD5
30a169811bbb56f80ad2ef63bafd48bf

SHA1
61006f10a4ec28c8dcc2f19485306a349e65d82c

SHA256
5e6a19aa1448fdf5861b3a663d81e149582c65022d31020cad58e71943d850b9

SHA512
149df30e330b61345562bf5f6cdd313b73df3386cccfe0d56c178daa5172c10b120bb3bc9a6ce9de935772466c76af03cba9c399f1b60bec0470ec2ba9ffc9e5

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterAutomate.exe
Filesize
15.1MB

MD5
b54c915c76810bd4ae1cacf3f60d3fcf

SHA1
348c04cd0057b2e12c64ae8911533ef9046a786b

SHA256
1d98350a7cd23ca173b6405ce46fe002f8ca340cd7362a1dd90927508ae37459

SHA512
dd8199c6edfe413d332c5925d75aea74ae96d8ff1efa323e57ca69c23065904b2db715b6af413bcca9f99b33280dacee24c695bf9cf61bb9dfae38112e9534ee

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe
Filesize
7.7MB

MD5
42d9ffbb0b7ef3cbdeb0c005619b12fb

SHA1
fbaed95c25aa26c43121e8421b5154e9e5dcdca0

SHA256
59e5b75c18c82acf2d94a1fd9b0a67af6795d594e1f837df1a80eec66671d307

SHA512
c77b91ca41b13bb471ced5346f998805430a33e210c09c0d7e0b0a7573d9e95da1bc5e351df08c871e1c3e962b3ec4b9fdb5ef5cc806fd87ef42f50ddd99d7cb

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterPortal.exe
Filesize
19.4MB

MD5
b117c8ab833f3fd2e645588b76e0350d

SHA1
542f9f159f61c53b6bddf3c12ee599f841894032

SHA256
fc84fcca5174673afc19102cc1ece6927f340a5b787602ae7c8487dd48af0183

SHA512
d662b913d390ff27cbecde257f6a3b873d8727df9d83fef57cce51be744e9748b18471b24af23adee36772ac5df7605a411b158c5e0aae276a55a4cff3117ef1

Download Submit
\Program Files (x86)\FileCenter\Main\FileCenterScan.exe
Filesize
18.4MB

MD5
48c0dc674559c958633f98b057ebcf26

SHA1
07af2ae436c357cf1ba508f0825654100cb56c07

SHA256
7dcbb120bff0e4eb3e1964c56de1d528810a64b28e224fe9f3bc1d65e15cb896

SHA512
7ecadbfa6ac7fdcdd274cee98329c614f3c387aaff658b163349ec4a42f782a8dcf7c1528ba0cfea362bf9b43c80f3e6aaf34f414767da51d3b2c3b425aafa00

Download Submit
\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe
Filesize
21KB

MD5
b9718823c993fccb6352cc0210993569

SHA1
4d551f7cafd0040ff9657ca644c1365f3e7847ae

SHA256
a173ba320929c93b9bf41186a0692d753da812b8691dcc416c16abdf004dbf89

SHA512
6e513ef7535539cff90e88b95c5f57bb9e262cebbf1e51bc8268595347fbf06f628cf16eaa974d7eccd2a285ff2f8f56867c4292c1fe4fb7b0ee90f5acee9747

Download Submit
\Program Files (x86)\FileCenter\Main\VSTwain.dll
Filesize
573KB

MD5
13f5f7e228ce2b8a3a41dbad4e451279

SHA1
1b3837572602b2620b75bf2ad2aeab89a64f5287

SHA256
11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292

SHA512
24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

Download Submit
\Program Files (x86)\FileCenter\Main\dten600.dll
Filesize
7.7MB

MD5
22cf875a0cf0ad89f5f7d7ac6628a598

SHA1
c2a9620579a08d6a91557e6cb8f1d2585392d30d

SHA256
11ef1b8791cfd8fee0923ec685ae1d29485349ce7d2d37a15ae1615e8d646baf

SHA512
3b59898730a9eb4a8f4347b8c854983636b28f6641b072fdd0d7f9190b905fc9b03dcf204154072048dc1a6a24785d2aead865b5bf160c9af9df87cf4175c608

Download Submit
\Program Files (x86)\FileCenter\Main\lbvProt.dll
Filesize
532KB

MD5
120387e48d0556538ef3ee68de18a707

SHA1
0633de57f7ef851115be39d407db8e08986b3d93

SHA256
e202172ad8799ee0feee2559ac06f2cf75530f702f7e11d0cb4c1b3ec57eae4e

SHA512
a7509c2822bd7f08b5e67dfbd3d9ac701639599b5681966f5276f51e60608dcd7dafaa953f7589d99de7ba7b68eaa56be0ecb2c074f5c4ba6ba114880507b1da

Download Submit
\Program Files (x86)\FileCenter\Main\secman.dll
Filesize
146KB

MD5
085d87f49daf13496e0e018c4008fae6

SHA1
4b0c3058b8ace7e8242c941b449daa968f5b45c7

SHA256
d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15

SHA512
52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

Download Submit
\Users\Admin\AppData\Local\Temp\is-10KR3.tmp\FileCenterUtils.exe
Filesize
8.7MB

MD5
e9638374a27160513f1a62827b6cf102

SHA1
b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f

SHA256
c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942

SHA512
9632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c

Download Submit
\Users\Admin\AppData\Local\Temp\is-18HER.tmp\FileCenterSetup12.0.16.0.tmp
Filesize
3.0MB

MD5
0acf3c16e6faca9c0aec525f53d03866

SHA1
5c3960b48d2b72ad02e59470d8a7b690ee826f9e

SHA256
2c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151

SHA512
17d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2

Download Submit
\Windows\Temp\{6DA8EC1C-F029-4684-8D80-A1D70816A7DE}\.cr\vc_redist.x86.exe
Filesize
632KB

MD5
86123c033231dd7e427d619ddeefd26a

SHA1
608c085348fd9c4e124e6f28f0388ccdac6ab2b5

SHA256
d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737

SHA512
ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

Download Submit
\Windows\Temp\{AA693759-8FAD-44CF-BBC2-A4CDD9917794}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/316-1192-0x0000000000FA0000-0x0000000001A36000-memory.dmp

Filesize
10.6MB

Download
memory/676-36-0x0000000000840000-0x00000000012D6000-memory.dmp

Filesize
10.6MB

Download
memory/968-783-0x0000000000930000-0x00000000013C6000-memory.dmp

Filesize
10.6MB

Download
memory/1028-781-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1028-845-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1528-689-0x0000000001370000-0x0000000001E06000-memory.dmp

Filesize
10.6MB

Download
memory/1676-688-0x00000000012B0000-0x0000000001A6B000-memory.dmp

Filesize
7.7MB

Download
memory/1684-732-0x0000000000240000-0x0000000000CD6000-memory.dmp

Filesize
10.6MB

Download
memory/1684-778-0x0000000000240000-0x0000000000CD6000-memory.dmp

Filesize
10.6MB

Download
memory/1684-780-0x0000000000240000-0x0000000000CD6000-memory.dmp

Filesize
10.6MB

Download
memory/1944-32-0x0000000000210000-0x0000000000CA6000-memory.dmp

Filesize
10.6MB

Download
memory/2024-1279-0x0000000000F80000-0x0000000002598000-memory.dmp

Filesize
22.1MB

Download
memory/2024-1243-0x0000000000F80000-0x0000000002598000-memory.dmp

Filesize
22.1MB

Download
memory/2024-1221-0x0000000000F80000-0x0000000002598000-memory.dmp

Filesize
22.1MB

Download
memory/2024-1222-0x00000000025A0000-0x0000000002FD9000-memory.dmp

Filesize
10.2MB

Download
memory/2024-1089-0x00000000025A0000-0x0000000002FD9000-memory.dmp

Filesize
10.2MB

Download
memory/2068-844-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2160-27-0x00000000013A0000-0x0000000001E36000-memory.dmp

Filesize
10.6MB

Download
memory/2196-728-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/2196-727-0x000000001C1B0000-0x000000001E69A000-memory.dmp

Filesize
36.9MB

Download
memory/2196-726-0x000000001C1B0000-0x000000001E69A000-memory.dmp

Filesize
36.9MB

Download
memory/2196-725-0x000000013FC10000-0x000000013FC20000-memory.dmp

Filesize
64KB

Download
memory/2244-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2244-17-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2244-1088-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2244-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2368-576-0x0000000010000000-0x00000000101C8000-memory.dmp

Filesize
1.8MB

Download
memory/2612-690-0x0000000005140000-0x000000000762A000-memory.dmp

Filesize
36.9MB

Download
memory/2612-647-0x0000000001240000-0x0000000001252000-memory.dmp

Filesize
72KB

Download
memory/2612-722-0x0000000007850000-0x0000000007858000-memory.dmp

Filesize
32KB

Download
memory/2612-694-0x0000000005140000-0x000000000762A000-memory.dmp

Filesize
36.9MB

Download
memory/2700-1255-0x0000000002040000-0x0000000002A79000-memory.dmp

Filesize
10.2MB

Download
memory/2700-1282-0x0000000002040000-0x0000000002A79000-memory.dmp

Filesize
10.2MB

Download
memory/2896-1219-0x0000000000860000-0x0000000001CA6000-memory.dmp

Filesize
20.3MB

Download
memory/2896-1220-0x0000000001CB0000-0x00000000026E9000-memory.dmp

Filesize
10.2MB

Download
memory/2896-1193-0x0000000001CB0000-0x00000000026E9000-memory.dmp

Filesize
10.2MB

Download
memory/2908-587-0x00000000013C0000-0x00000000013C8000-memory.dmp

Filesize
32KB

Download
memory/2944-16-0x00000000001B0000-0x0000000000C46000-memory.dmp

Filesize
10.6MB

Download
memory/2948-91-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2948-847-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2948-24-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2948-18-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2948-29-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2948-683-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2948-1083-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2948-9-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2948-359-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2948-1087-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download