Resubmissions
25-06-2024 14:19
240625-rm6bxsvdkb 621-06-2024 15:11
240621-sknjrsygjm 617-06-2024 17:09
240617-vn6wmawhlb 1014-06-2024 13:23
240614-qmxjcawdmm 10Analysis
-
max time kernel
497s -
max time network
448s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 14:19
Static task
static1
Behavioral task
behavioral1
Sample
FileCenterSetup12.0.16.0.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
FileCenterSetup12.0.16.0.exe
Resource
win10v2004-20240508-en
General
-
Target
FileCenterSetup12.0.16.0.exe
-
Size
300.4MB
-
MD5
123556b83a3dad2f59e76602768e9536
-
SHA1
b402ded286fff73aaf9b32f075bc32029da6d461
-
SHA256
df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9
-
SHA512
bc8dc366b404756a55ab40b66bbcccc8d8b366b0f34938c14324d994118602f0be876eaa61234c18eef7ae4e797789da8dd996f023f0f67c0e053e8022dd3506
-
SSDEEP
6291456:f7u0oceu41pUlsFqvFyeGCIOo7qgB5Fapf5NN9nAug:T9r4vXi5IOyJmfAx
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
FileCenterSetup12.0.16.0.tmpPDFXLite10.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe" FileCenterSetup12.0.16.0.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe" FileCenterSetup12.0.16.0.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{3780ab31-c524-4f3b-a4db-79d692700a62} = "\"C:\\ProgramData\\Package Cache\\{3780ab31-c524-4f3b-a4db-79d692700a62}\\PDFXLite10.exe\" /burn.runonce" PDFXLite10.exe -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 50 5112 msiexec.exe 52 5112 msiexec.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
MsiExec.exedescription ioc process File opened for modification C:\Users\Public\Desktop\desktop.ini MsiExec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FileCenterUtils.exeFileCenter.exeFileCenterAgent.exeFileCenterUtils.exeGdPictureComReg.exeFileCenterUtils.exePDFXLite10.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation FileCenterUtils.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation FileCenter.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation FileCenterAgent.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation FileCenterUtils.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation GdPictureComReg.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation FileCenterUtils.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation PDFXLite10.exe -
Drops file in System32 directory 10 IoCs
Processes:
splwow64.exePrnInstaller.exeprninstaller.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\pxcpmL.dll PrnInstaller.exe File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll PrnInstaller.exe File created C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml PrnInstaller.exe File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll PrnInstaller.exe File created C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL prninstaller.exe File opened for modification C:\Windows\system32\pxcpmL.dll PrnInstaller.exe File created C:\Windows\system32\pxc50pm.dll prninstaller.exe File opened for modification C:\Windows\system32\pxc50pm.dll prninstaller.exe File created C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL prninstaller.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
FileCenterSetup12.0.16.0.tmpmsiexec.exePDFX5SA_sm.tmpdescription ioc process File opened for modification C:\Program Files (x86)\FileCenter\Main\Perceptive.DocumentFilters.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-8Q4BU.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Tracker Software\Vault\XCVault.exe msiexec.exe File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-K3PRQ.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Help\is-B0UCI.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.zh-CN.xcl msiexec.exe File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\is-06TEJ.tmp PDFX5SA_sm.tmp File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-SUK7Q.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\fonts\is-V8TD6.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.pt-BR.xcl msiexec.exe File created C:\Program Files (x86)\FileCenter\Uninstall\FileCenter\unins000.dat FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-EGD62.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.ar-SA.xcl msiexec.exe File opened for modification C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Ocr.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\fonts\is-VC254.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.he-IL.xcl msiexec.exe File created C:\Program Files (x86)\FileCenter\Main\is-1M0FI.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.nl-NL.xcl msiexec.exe File created C:\Program Files (x86)\FileCenter\Main\is-MJ08F.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-U6KGK.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-2ON21.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-VJ041.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-DHFSK.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.id-ID.xcl msiexec.exe File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsnet15.dll FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrspng15.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\Tips\is-OEDGF.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-CP7II.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-DJ6NE.tmp FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineSI.exe FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-14IVA.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\fonts\is-LHJK5.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-IO4M4.tmp FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\ISYS11df.dll FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Gif.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\IRIS\is-C5NU0.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.sr-Latn-RS.xcl msiexec.exe File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterAddin64.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-T32FV.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.sv-SE.xcl msiexec.exe File created C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe msiexec.exe File created C:\Program Files (x86)\FileCenter\Main\is-U7E3T.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\GdOCR\is-B37KA.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\Samples\is-LTMGC.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.de-DE.xcl msiexec.exe File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.az-Latn-AZ.xcl msiexec.exe File created C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.it-IT.xcl msiexec.exe File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsocr15.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\fonts\is-A6M1D.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-4F1N6.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-N479V.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-QDMB5.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-4NEQI.tmp FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Help\fc-scan.chm FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineRI.exe FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineTR.exe FileCenterSetup12.0.16.0.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\IRIS\idrsdmtx15.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-F999M.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.sw-KE.xcl msiexec.exe File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\is-7L2AT.tmp PDFX5SA_sm.tmp File opened for modification C:\Program Files (x86)\FileCenter\Main\EZT4Curl.dll FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Main\is-UEAIO.tmp FileCenterSetup12.0.16.0.tmp File created C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\is-4V5RH.tmp PDFX5SA_sm.tmp -
Drops file in Windows directory 20 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI32A0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI32B1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI342B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6318D993-1BE8-4BE4-B9E9-D6BFED11A071} msiexec.exe File opened for modification C:\Windows\Installer\MSI363F.tmp msiexec.exe File created C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco msiexec.exe File opened for modification C:\Windows\Installer\MSI36DC.tmp msiexec.exe File created C:\Windows\Installer\e5930ab.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI3261.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3409.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3C3C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3E70.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3F4B.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5930ab.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI341A.tmp msiexec.exe File opened for modification C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco msiexec.exe File created C:\Windows\Installer\e5930af.msi msiexec.exe -
Executes dropped EXE 32 IoCs
Processes:
FileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeGdPictureComReg.exevc_redist.x86.exevc_redist.x86.exeFileCenterAutomateService.exeFileCenterUtils.exePDFXLite10.exePDFXLite10.exePDFXLite10.exePrnInstaller.exepdfSaverL.exepdfSaverL.exeFileCenterUtils.exePDFX5SA_sm.exePDFX5SA_sm.tmpprninstaller.exepdfSaver5.exeXCVault.exeFileCenter.exepdfSaverL.exepdfSaverL.exeFileCenterUtils.exeFileCenterAgent.exeFileCenterAgent.exeFileCenterInjector32.exepdfSaverL.exepid process 2812 FileCenterSetup12.0.16.0.tmp 3236 FileCenterUtils.exe 2300 FileCenterUtils.exe 1244 FileCenterUtils.exe 4472 FileCenterUtils.exe 4024 FileCenterUtils.exe 2256 GdPictureComReg.exe 4108 vc_redist.x86.exe 1824 vc_redist.x86.exe 3836 FileCenterAutomateService.exe 4732 FileCenterUtils.exe 1348 PDFXLite10.exe 2840 PDFXLite10.exe 4412 PDFXLite10.exe 3156 PrnInstaller.exe 1752 1872 pdfSaverL.exe 5032 pdfSaverL.exe 3412 FileCenterUtils.exe 1120 PDFX5SA_sm.exe 4236 PDFX5SA_sm.tmp 3744 prninstaller.exe 3612 pdfSaver5.exe 3192 XCVault.exe 4956 FileCenter.exe 3464 pdfSaverL.exe 220 pdfSaverL.exe 4540 FileCenterUtils.exe 1216 FileCenterAgent.exe 5876 FileCenterAgent.exe 3000 FileCenterInjector32.exe 1812 pdfSaverL.exe -
Loads dropped DLL 47 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregasm.exevc_redist.x86.exePDFXLite10.exeMsiExec.exeMsiExec.exePDFX5SA_sm.tmpFileCenter.exeFileCenterAgent.exeFileCenterAgent.exesplwow64.exepdfSaverL.exepid process 532 regsvr32.exe 1952 regsvr32.exe 4260 regsvr32.exe 2284 regsvr32.exe 1736 regsvr32.exe 1368 regsvr32.exe 1368 regsvr32.exe 3188 regasm.exe 3188 regasm.exe 3188 regasm.exe 3188 regasm.exe 1824 vc_redist.x86.exe 2840 PDFXLite10.exe 1824 MsiExec.exe 1824 MsiExec.exe 1824 MsiExec.exe 1824 MsiExec.exe 1824 MsiExec.exe 1824 MsiExec.exe 1824 MsiExec.exe 4116 MsiExec.exe 4116 MsiExec.exe 1824 MsiExec.exe 4236 PDFX5SA_sm.tmp 1752 1752 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe 1216 FileCenterAgent.exe 1216 FileCenterAgent.exe 5876 FileCenterAgent.exe 5876 FileCenterAgent.exe 4956 FileCenter.exe 4136 splwow64.exe 212 4136 splwow64.exe 1812 pdfSaverL.exe 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
msedge.exeWINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Kills process with taskkill 25 IoCs
Processes:
TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exepid process 4080 TASKKILL.exe 656 TASKKILL.exe 2576 TASKKILL.exe 4988 TASKKILL.exe 4732 TASKKILL.exe 4348 TASKKILL.exe 3720 TASKKILL.exe 3124 TASKKILL.exe 5052 TASKKILL.exe 2116 TASKKILL.exe 2252 TASKKILL.exe 2868 TASKKILL.exe 2204 TASKKILL.exe 3744 TASKKILL.exe 2140 TASKKILL.exe 2792 TASKKILL.exe 1456 TASKKILL.exe 4792 TASKKILL.exe 3068 TASKKILL.exe 3724 TASKKILL.exe 4560 TASKKILL.exe 3540 TASKKILL.exe 3808 TASKKILL.exe 3464 TASKKILL.exe 3184 TASKKILL.exe -
Processes:
msiexec.exePDFX5SA_sm.tmpdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40} PDFX5SA_sm.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe" PDFX5SA_sm.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\" PDFX5SA_sm.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3" PDFX5SA_sm.tmp Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\" msiexec.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe -
Modifies registry class 64 IoCs
Processes:
regasm.exeregsvr32.exeregasm.exeregsvr32.exeregsvr32.exemsiexec.exepdfSaver5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\ProgId regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B1C806E-791F-4D81-AD28-28C84A7F9626}\ = "IObjCollection" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A79755A3-8507-48EE-A616-611BB01CF94B}\TypeLib regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2149EA7-B58E-378B-8E52-70645A0BEC94}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\ProgId regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dten600.FileConverter regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B55EFD3A-7639-45F0-A33E-12971B7DAAB7}\ = "IUIX_RangesNavigator" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2CB39873-DF95-333A-B652-AB54100BD735}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D726366D-34D6-49FC-A341-7B84C54CCA3E}\ = "IPXV_Inst" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14587E1E-35FA-4716-AE19-A18E355EFA17}\TypeLib\Version = "e.2" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3074C30-3837-31AA-81D3-8AB09BDFC431}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{09EA018A-8293-38A7-816E-0251F9E09C9B}\TypeLib\Version = "e.2" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFE955F3-4ADE-4C79-B40A-8DD1955A328F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D615A9E-73D4-4FEF-A0DA-6973C26C17B2}\ = "ISearchFilter" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237F6B6F-DAB7-4230-B2E9-49D5C6AB9243}\ = "IUIX_ContextHelpHandler" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91F594C1-7C1A-465D-BC9C-004E2FD7C6C4}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1E506401-16B8-3FD1-86A0-4C22389BCEB2}\14.2.69.0\RuntimeVersion = "v4.0.30319" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{264197D5-6440-3006-8548-E33267CA93BA}\14.2.69.0\Class = "GdPicture14.TwainPixelType" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C577CE3-F5BD-4AC5-B52D-76264D51D578}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0265291-1DFC-4377-B60D-7AE9CA536A73}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49237A9D-448A-484D-9036-73E1E6C36628}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{AE9FE02C-2917-3CDF-83C6-040C869E2504} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{014302D9-4DE6-397A-8DE9-F470BD0254A8}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D} regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97AC7381-9417-323E-8AAE-234B95A6157B} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B44473C2-B0B0-38C6-AD26-DC7F2B91FDA3}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C023D333-1DE2-3611-8A05-5D48816051B9}\TypeLib\Version = "e.2" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3D50468D-69C9-365A-A899-AB61D669F22C}\14.2.69.0\RuntimeVersion = "v4.0.30319" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\RuntimeVersion = "v4.0.30319" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EE9072C9-4757-39C3-85B2-55DA35698A58}\14.2.69.0\RuntimeVersion = "v4.0.30319" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B539001-204C-4960-9AE6-9246D044961F}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6B868CDB-BBBB-37C8-8FDB-9CBDDD8F7B1F}\14.2.69.0 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1CB9426-FA08-4829-8470-C8C7FF7F7A00}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8934FF21-97DD-3A3A-A58D-327BAA701B1E}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B430FB9-7FBB-4645-94BC-76E917FFCE42} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A7F1FD3-FC4C-40C1-AF2C-D25CBB527C8E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{681F0BA3-6BEA-37FA-9AD5-4AD97E322866}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFA5BEFF-8BDD-4AE1-AD40-6D11FAD0CA1C}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F64923D-567C-4603-82D9-1AAABB307C20}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C0996724-EA4D-3ECE-AFA2-E67E6B91B5E6}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\87E34BDCB0E3B234F8E631EF56D3CC43 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{697DF026-B24E-11D3-B57C-00105AA461D0}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\ = "mscoree.dll" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6E200759-C46D-3822-A83A-11C96FC94477}\14.2.69.0\RuntimeVersion = "v4.0.30319" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FE1F915C-17D3-35EB-BB14-24CEC02931D3}\14.2.69.0\RuntimeVersion = "v4.0.30319" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{607DAA74-906B-3146-999C-F4688F1E354D} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F6F8356-1AB8-40AD-81E4-E1E3E71B4BCD}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{607DAA74-906B-3146-999C-F4688F1E354D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17AA9FC1-A869-38F0-A7FF-A720437AD51D}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71300D43-687F-436A-A699-2B37448D0803}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{759D3976-86EC-378D-BF99-6EA0E85A98ED}\14.2.69.0 regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E5C6F2A3-9E94-3BAD-901A-ECAF82AC0D62} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DF179B8-96F1-4F3E-9338-DFEEB61B810A}\VersionIndependentProgID\ = "TrackerUpdateSrvLib.TrackerUpdateObj" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{73D6873C-BD16-49E6-A160-81D847A24DF7} pdfSaver5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EBB31E2-2E6A-4463-B53B-EA7C502D564D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF87328C-B7C8-4FC8-8DE6-043E83F25A17}\ = "_IPXV_ControlEvents" regsvr32.exe -
Suspicious behavior: AddClipboardFormatListener 5 IoCs
Processes:
WINWORD.EXEWINWORD.EXEFileCenter.exepid process 6052 WINWORD.EXE 6052 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE 4956 FileCenter.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
FileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeregsvr32.exeFileCenterAutomateService.exeFileCenterUtils.exemsiexec.exeMsiExec.exeFileCenterUtils.exePDFX5SA_sm.tmpFileCenter.exeFileCenterUtils.exeFileCenterAgent.exemsedge.exemsedge.exeidentity_helper.exeFileCenterAgent.exeFileCenterInjector32.exepid process 3236 FileCenterUtils.exe 3236 FileCenterUtils.exe 2300 FileCenterUtils.exe 2300 FileCenterUtils.exe 1244 FileCenterUtils.exe 1244 FileCenterUtils.exe 2812 FileCenterSetup12.0.16.0.tmp 2812 FileCenterSetup12.0.16.0.tmp 4472 FileCenterUtils.exe 4472 FileCenterUtils.exe 4024 FileCenterUtils.exe 4024 FileCenterUtils.exe 1368 regsvr32.exe 1368 regsvr32.exe 3836 FileCenterAutomateService.exe 3836 FileCenterAutomateService.exe 4732 FileCenterUtils.exe 4732 FileCenterUtils.exe 5112 msiexec.exe 5112 msiexec.exe 1824 MsiExec.exe 1824 MsiExec.exe 3412 FileCenterUtils.exe 3412 FileCenterUtils.exe 4236 PDFX5SA_sm.tmp 4236 PDFX5SA_sm.tmp 4956 FileCenter.exe 4956 FileCenter.exe 4540 FileCenterUtils.exe 4540 FileCenterUtils.exe 1216 FileCenterAgent.exe 1216 FileCenterAgent.exe 4944 msedge.exe 4944 msedge.exe 4024 msedge.exe 4024 msedge.exe 4336 identity_helper.exe 4336 identity_helper.exe 5876 FileCenterAgent.exe 5876 FileCenterAgent.exe 3000 FileCenterInjector32.exe 3000 FileCenterInjector32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe -
Suspicious behavior: SetClipboardViewer 8 IoCs
Processes:
FileCenter.exeFileCenterAgent.exeFileCenterAgent.exepid process 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe 1216 FileCenterAgent.exe 1216 FileCenterAgent.exe 5876 FileCenterAgent.exe 5876 FileCenterAgent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exevssvc.exePDFXLite10.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4988 TASKKILL.exe Token: SeDebugPrivilege 2868 TASKKILL.exe Token: SeDebugPrivilege 656 TASKKILL.exe Token: SeDebugPrivilege 2576 TASKKILL.exe Token: SeDebugPrivilege 2792 TASKKILL.exe Token: SeDebugPrivilege 3724 TASKKILL.exe Token: SeDebugPrivilege 5052 TASKKILL.exe Token: SeDebugPrivilege 3184 TASKKILL.exe Token: SeDebugPrivilege 3744 TASKKILL.exe Token: SeDebugPrivilege 4792 TASKKILL.exe Token: SeDebugPrivilege 1456 TASKKILL.exe Token: SeDebugPrivilege 2204 TASKKILL.exe Token: SeDebugPrivilege 2116 TASKKILL.exe Token: SeDebugPrivilege 4560 TASKKILL.exe Token: SeBackupPrivilege 2744 vssvc.exe Token: SeRestorePrivilege 2744 vssvc.exe Token: SeAuditPrivilege 2744 vssvc.exe Token: SeShutdownPrivilege 4412 PDFXLite10.exe Token: SeIncreaseQuotaPrivilege 4412 PDFXLite10.exe Token: SeSecurityPrivilege 5112 msiexec.exe Token: SeCreateTokenPrivilege 4412 PDFXLite10.exe Token: SeAssignPrimaryTokenPrivilege 4412 PDFXLite10.exe Token: SeLockMemoryPrivilege 4412 PDFXLite10.exe Token: SeIncreaseQuotaPrivilege 4412 PDFXLite10.exe Token: SeMachineAccountPrivilege 4412 PDFXLite10.exe Token: SeTcbPrivilege 4412 PDFXLite10.exe Token: SeSecurityPrivilege 4412 PDFXLite10.exe Token: SeTakeOwnershipPrivilege 4412 PDFXLite10.exe Token: SeLoadDriverPrivilege 4412 PDFXLite10.exe Token: SeSystemProfilePrivilege 4412 PDFXLite10.exe Token: SeSystemtimePrivilege 4412 PDFXLite10.exe Token: SeProfSingleProcessPrivilege 4412 PDFXLite10.exe Token: SeIncBasePriorityPrivilege 4412 PDFXLite10.exe Token: SeCreatePagefilePrivilege 4412 PDFXLite10.exe Token: SeCreatePermanentPrivilege 4412 PDFXLite10.exe Token: SeBackupPrivilege 4412 PDFXLite10.exe Token: SeRestorePrivilege 4412 PDFXLite10.exe Token: SeShutdownPrivilege 4412 PDFXLite10.exe Token: SeDebugPrivilege 4412 PDFXLite10.exe Token: SeAuditPrivilege 4412 PDFXLite10.exe Token: SeSystemEnvironmentPrivilege 4412 PDFXLite10.exe Token: SeChangeNotifyPrivilege 4412 PDFXLite10.exe Token: SeRemoteShutdownPrivilege 4412 PDFXLite10.exe Token: SeUndockPrivilege 4412 PDFXLite10.exe Token: SeSyncAgentPrivilege 4412 PDFXLite10.exe Token: SeEnableDelegationPrivilege 4412 PDFXLite10.exe Token: SeManageVolumePrivilege 4412 PDFXLite10.exe Token: SeImpersonatePrivilege 4412 PDFXLite10.exe Token: SeCreateGlobalPrivilege 4412 PDFXLite10.exe Token: SeRestorePrivilege 5112 msiexec.exe Token: SeTakeOwnershipPrivilege 5112 msiexec.exe Token: SeRestorePrivilege 5112 msiexec.exe Token: SeTakeOwnershipPrivilege 5112 msiexec.exe Token: SeRestorePrivilege 5112 msiexec.exe Token: SeTakeOwnershipPrivilege 5112 msiexec.exe Token: SeRestorePrivilege 5112 msiexec.exe Token: SeTakeOwnershipPrivilege 5112 msiexec.exe Token: SeRestorePrivilege 5112 msiexec.exe Token: SeTakeOwnershipPrivilege 5112 msiexec.exe Token: SeRestorePrivilege 5112 msiexec.exe Token: SeTakeOwnershipPrivilege 5112 msiexec.exe Token: SeRestorePrivilege 5112 msiexec.exe Token: SeTakeOwnershipPrivilege 5112 msiexec.exe Token: SeRestorePrivilege 5112 msiexec.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
FileCenterSetup12.0.16.0.tmpPDFX5SA_sm.tmpFileCenterAgent.exemsedge.exeFileCenterAgent.exepdfSaverL.exepid process 2812 FileCenterSetup12.0.16.0.tmp 4236 PDFX5SA_sm.tmp 4236 PDFX5SA_sm.tmp 1216 FileCenterAgent.exe 1216 FileCenterAgent.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 5876 FileCenterAgent.exe 1812 pdfSaverL.exe 1812 pdfSaverL.exe 1812 pdfSaverL.exe -
Suspicious use of SendNotifyMessage 30 IoCs
Processes:
FileCenterAgent.exemsedge.exeFileCenterAgent.exepdfSaverL.exepid process 1216 FileCenterAgent.exe 1216 FileCenterAgent.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 5876 FileCenterAgent.exe 1812 pdfSaverL.exe 1812 pdfSaverL.exe 1812 pdfSaverL.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
FileCenter.exeFileCenterAgent.exeFileCenterAgent.exeWINWORD.EXEpdfSaverL.exeWINWORD.EXEpid process 4956 FileCenter.exe 4956 FileCenter.exe 4956 FileCenter.exe 1216 FileCenterAgent.exe 5876 FileCenterAgent.exe 6052 WINWORD.EXE 6052 WINWORD.EXE 6052 WINWORD.EXE 6052 WINWORD.EXE 6052 WINWORD.EXE 6052 WINWORD.EXE 6052 WINWORD.EXE 6052 WINWORD.EXE 6052 WINWORD.EXE 6052 WINWORD.EXE 1812 pdfSaverL.exe 6052 WINWORD.EXE 6052 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE 4496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
FileCenterSetup12.0.16.0.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exedescription pid process target process PID 3068 wrote to memory of 2812 3068 FileCenterSetup12.0.16.0.exe FileCenterSetup12.0.16.0.tmp PID 3068 wrote to memory of 2812 3068 FileCenterSetup12.0.16.0.exe FileCenterSetup12.0.16.0.tmp PID 3068 wrote to memory of 2812 3068 FileCenterSetup12.0.16.0.exe FileCenterSetup12.0.16.0.tmp PID 2812 wrote to memory of 3236 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 3236 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 3236 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 2300 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 2300 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 2300 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 1244 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 1244 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 1244 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 1244 wrote to memory of 3724 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 3724 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 3724 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 2792 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 2792 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 2792 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 656 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 656 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 656 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 5052 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 5052 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 5052 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 2576 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 2576 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 2576 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 2868 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 2868 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 2868 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 4988 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 4988 1244 FileCenterUtils.exe TASKKILL.exe PID 1244 wrote to memory of 4988 1244 FileCenterUtils.exe TASKKILL.exe PID 2812 wrote to memory of 4472 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 4472 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 4472 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 4472 wrote to memory of 2116 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 2116 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 2116 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 1456 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 1456 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 1456 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 3184 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 3184 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 3184 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 2204 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 2204 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 2204 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 3744 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 3744 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 3744 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 4792 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 4792 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 4792 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 4560 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 4560 4472 FileCenterUtils.exe TASKKILL.exe PID 4472 wrote to memory of 4560 4472 FileCenterUtils.exe TASKKILL.exe PID 2812 wrote to memory of 4024 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 4024 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 2812 wrote to memory of 4024 2812 FileCenterSetup12.0.16.0.tmp FileCenterUtils.exe PID 4024 wrote to memory of 532 4024 FileCenterUtils.exe regsvr32.exe PID 4024 wrote to memory of 532 4024 FileCenterUtils.exe regsvr32.exe PID 4024 wrote to memory of 532 4024 FileCenterUtils.exe regsvr32.exe PID 4024 wrote to memory of 2256 4024 FileCenterUtils.exe GdPictureComReg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-91M4V.tmp\FileCenterSetup12.0.16.0.tmp"C:\Users\Admin\AppData\Local\Temp\is-91M4V.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$F002A,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtilsInfo.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtilsInfo.ini"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe" -CLOSEALL3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterPortal.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReceipts.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReports.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe"C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe" -INSTBEG3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterPortal.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReceipts.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterReports.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb5⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb5⤵
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart4⤵
- Executes dropped EXE
-
C:\Windows\Temp\{8BF8B4F5-10DD-43A0-A1EB-36291E3734E5}\.cr\vc_redist.x86.exe"C:\Windows\Temp\{8BF8B4F5-10DD-43A0-A1EB-36291E3734E5}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"4⤵
- Executes dropped EXE
-
C:\Windows\Temp\{ED56CB5E-F2AA-49BD-A457-FDD2885C448B}\.cr\PDFXLite10.exe"C:\Windows\Temp\{ED56CB5E-F2AA-49BD-A457-FDD2885C448B}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=544 -burn.filehandle.self=548 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\.be\PDFXLite10.exe"C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{262A7465-C6F0-497B-911B-DC855D9C73BB} {B4CAC3C0-771E-4082-95B3-BD17FCCF3556} 28406⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"4⤵
- Executes dropped EXE
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-V9GRA.tmp\PDFX5SA_sm.tmp"C:\Users\Admin\AppData\Local\Temp\is-V9GRA.tmp\PDFX5SA_sm.tmp" /SL5="$8022C,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"5⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "6⤵
- Drops file in System32 directory
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer6⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install6⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 9FD8740C1CB9A40353971547F983CAAF2⤵
- Drops desktop.ini file(s)
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 749E251B05D11BF5DF1D2B0E40F2B789 E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"2⤵
- Drops file in System32 directory
- Executes dropped EXE
-
C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"2⤵
- Executes dropped EXE
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -OLOFF2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterScanner.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterAgent.exe2⤵
- Kills process with taskkill
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.filecenter.com/action.php?Action=Welcome&Refresh=1&ProductKey=&KeyID=-1&PTID=1&SourceID=-1&CustomID=-1&VerID=-1&PartnerID=0&WelcomeID=0&Version=12.0.16.0&CN=OBJIYUIE&UN=Admin&Trial=0&DaysLeft=0&s=&cnt1=&cnt2=&cnt3=&cnt4=&cnt5=&cnt6=&cnt7=&cnt8=&cnt9=&x=12352⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff986346f8,0x7fff98634708,0x7fff986347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4972 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:13⤵
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /T /IM FileCenterThumbs.exe2⤵
- Kills process with taskkill
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe"C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe" 49563⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Drops file in System32 directory
- Loads dropped DLL
-
C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Documents\CompressCopy.dotx"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x384 0x4481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5930ae.rbsFilesize
35KB
MD5b971aa3d133dee2372809e1f07d674d8
SHA13988b77dfab2b0127bc1f65cda3525906bf20260
SHA256cb3178d32cf0947ebd0b582a569c04ebe3844230194c7e30a3f5947b3d8ed425
SHA5128b60da804d0d3434ab716a331bd4e52b1761d40b6c60bf1e6f73a12797ad1f77431ebd2e25f0daef7b3ab35027aace4b849034c2f3b3d5193d73cb9e28d9191b
-
C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dllFilesize
593KB
MD52fbf69d014ae135d473ec8243d44be9e
SHA12c28d3b23d8ff061ae554ccd92aec93900e3cb2b
SHA2566f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3
SHA512530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654
-
C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exeFilesize
40.5MB
MD54c61ee01d5b84db67c38c10d3f210f39
SHA1844eab66505dc4eb88dec70c3f20307365c350ac
SHA256a7e10bda5cb2e1c347b2ee682385fd56ff5da05c659c665abc0b526f639a5583
SHA512a44a2bd871c9f0f654b0e627accc9d4388390e5e5b7326a3372a103886d74b89ab78e235e1b986da9acf0f08fdf45b642ec26000bbe32de92a44b1978f4c2f80
-
C:\Program Files (x86)\FileCenter\Main\FileCenter.exeFilesize
20.1MB
MD5879d5b401a73cc57a3166ba01ce70c60
SHA1ee8b47af48514a3b65f4ee838c95e7a3a64d3434
SHA25682da544c9d730c17c34a253c29fd7d621e8cdc064e0220c27e43bb0dd60c4ebe
SHA5126e49343acca8ab878b4cf9e12ce4d796decd7f44c7068f8d90f5ad2eebbab31c15c82bbf66bcb571120a9bf8e375055558308d00b66053591c6ec94fb514b3b6
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dllFilesize
13.0MB
MD52b9bbd88d6b6a3b7c417cbb0eae69bf4
SHA1c43ab9fa5c1085ba21280d143f8b8322d6a93883
SHA2561e5f8dbd4c08faf3a0a84b6af17454d9d21459618b411696b9604af80ee9fc0f
SHA512f07ae3e76066960a3b657146b83da724ca13873edd82d7314d048593c3e6021ced3297459d46a30daf95189631bfd4c941e44d91433549dcc70efb5407543a30
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.iniFilesize
27B
MD570da425f8aac14b1484047edb83e60e8
SHA169d09199af5a5ba4ed4e1d59432fec784d5271e4
SHA256258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f
SHA512a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2
-
C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exeFilesize
7.7MB
MD542d9ffbb0b7ef3cbdeb0c005619b12fb
SHA1fbaed95c25aa26c43121e8421b5154e9e5dcdca0
SHA25659e5b75c18c82acf2d94a1fd9b0a67af6795d594e1f837df1a80eec66671d307
SHA512c77b91ca41b13bb471ced5346f998805430a33e210c09c0d7e0b0a7573d9e95da1bc5e351df08c871e1c3e962b3ec4b9fdb5ef5cc806fd87ef42f50ddd99d7cb
-
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dllFilesize
36.9MB
MD5d9806fd0eeafd9f89e0473ad52889283
SHA1d6fca558897aaa6703129557e2d02b1a84765dcb
SHA256aa2aafe588aecd1a10bf05dcd675143061a55bcd5bc83bd749bde7b85d21dbc6
SHA512796c609dc6fa4c6fe1e6909ae3a4a22cc06c900f34b999d77a9805767f69f1b1d96a99e9ee03ad6ab68e7f6bb5fa3269c1d73db4af68a2834bfd5cbf2fe91422
-
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlbFilesize
476KB
MD52e2fec3824de1d97f552892ec1ccaab5
SHA11c0443d5ed9dfe32bfb9239a46b553323c81c9af
SHA256077e7be04b67f86445e1e386ee31f788ee477fff5915bd4b6113c2da7fc8c86d
SHA51278ab6844ae2f44125b893f556232bda079f709d6284d3126c6461ff84a4290f01c6f779f22a9f07cb09a96d5893d5400dd1512923ec89a5a3779d81333ecadb7
-
C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exeFilesize
21KB
MD5b9718823c993fccb6352cc0210993569
SHA14d551f7cafd0040ff9657ca644c1365f3e7847ae
SHA256a173ba320929c93b9bf41186a0692d753da812b8691dcc416c16abdf004dbf89
SHA5126e513ef7535539cff90e88b95c5f57bb9e262cebbf1e51bc8268595347fbf06f628cf16eaa974d7eccd2a285ff2f8f56867c4292c1fe4fb7b0ee90f5acee9747
-
C:\Program Files (x86)\FileCenter\Main\VSTwain.dllFilesize
573KB
MD513f5f7e228ce2b8a3a41dbad4e451279
SHA11b3837572602b2620b75bf2ad2aeab89a64f5287
SHA25611b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292
SHA51224ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d
-
C:\Program Files (x86)\FileCenter\Main\dten600.dllFilesize
7.7MB
MD522cf875a0cf0ad89f5f7d7ac6628a598
SHA1c2a9620579a08d6a91557e6cb8f1d2585392d30d
SHA25611ef1b8791cfd8fee0923ec685ae1d29485349ce7d2d37a15ae1615e8d646baf
SHA5123b59898730a9eb4a8f4347b8c854983636b28f6641b072fdd0d7f9190b905fc9b03dcf204154072048dc1a6a24785d2aead865b5bf160c9af9df87cf4175c608
-
C:\Program Files (x86)\FileCenter\Main\lbvProt.dllFilesize
532KB
MD5120387e48d0556538ef3ee68de18a707
SHA10633de57f7ef851115be39d407db8e08986b3d93
SHA256e202172ad8799ee0feee2559ac06f2cf75530f702f7e11d0cb4c1b3ec57eae4e
SHA512a7509c2822bd7f08b5e67dfbd3d9ac701639599b5681966f5276f51e60608dcd7dafaa953f7589d99de7ba7b68eaa56be0ecb2c074f5c4ba6ba114880507b1da
-
C:\Program Files (x86)\FileCenter\Main\secman.dllFilesize
146KB
MD5085d87f49daf13496e0e018c4008fae6
SHA14b0c3058b8ace7e8242c941b449daa968f5b45c7
SHA256d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15
SHA51252886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b
-
C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exeFilesize
13.6MB
MD535b40b21383ac38487ceec8ab6e53565
SHA159894bd9c96361b475c3b4b7ca9719c72e813d04
SHA256caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec
SHA5123a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e
-
C:\ProgramData\FileCenter\Config.iniFilesize
42B
MD54a2b0b2d8d08db9fcc6eae2e25c9b4d1
SHA1bcbd9242fe7ad0afabb143453d732657cfc79ede
SHA25670bc9116d9db8cee6aaf87d19d323fc4961f90116b9a61281a981a461505974e
SHA5125dc550410f15e4f64e637f61d8b6b09024b7502202ddd346463ac05b962d9bd6c3aecce6b85e089ca53184e99753cb2b137fae9ea26334d8044a0266742f6826
-
C:\ProgramData\FileCenter\Config.iniFilesize
23B
MD5b2ad8f8dcc45644ea167317d050faac4
SHA1215091d6ad9d4f210b85e675b17c60a7300ca9b1
SHA2569aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0
SHA512528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4
-
C:\ProgramData\FileCenter\Intercepts.iniFilesize
6KB
MD5293bfe23c32bd1332e4caf09e9bb347d
SHA11777f80e58dcc9b37cf87d73a4680723c7b87461
SHA2563f6dd37419d2c2075812e0a104d0603d78a5cf1b378154e8d71c30c37de84264
SHA5120ec00fc8b45d2fa205be404a37546772919f891d439e336dd601c0961355dd9afdbae983c254a9760207ea15b7b446b7b9d90ad93f7b938aeb74e838204be194
-
C:\ProgramData\FileCenter\Logs\Hooks.txtFilesize
998B
MD55534acbc2965520676df4215448e3ece
SHA108f48a11efa47b05cb0b7e2eb14c9b662ce3f68d
SHA25626bfb8cf557001f9253ed6da0fd33213e41136ef131cfcf8cfc395047cff668a
SHA51239b45c11a4d562e0e6f832037fe990ec6f027d70100bcc02abb148ee01cd6b28a20269a2f813b01414655e4501d4202101ca9b9bc1e334dc5e306d64bc9ad921
-
C:\ProgramData\FileCenter\Logs\Hooks_Last.txtFilesize
998B
MD58bde523bd564817653df647051518eb7
SHA1693044acff37c4c4d874dfa3cfc40b2f9980a987
SHA25636ed3a18cf868f4ed90d6ff723b60ba3e23893464245b1d6a83bd69f65f56580
SHA5123f98c832616b0db874b1254bf3fd0a24d3db95a70f9833f819cbd9a8114bc8ec97e3f77948af66d2204a6e099214ae29b453a08931c60f765dda0a54625eeb69
-
C:\ProgramData\FileCenter\MyPortal.iniFilesize
26B
MD58af40c2a9db1af603163ed8b0e25a3d0
SHA136db1a9baec9e7d6d17073529afff9df063e68d9
SHA25664b92b073e9519d07676100c694c63207f45b561ce66594b8728eae023ba0705
SHA5122662a09e1cd148cbb4ee1124e4fdac6561699f447c986992651ff8fb8e7d005803b74ce5c1bb65c6f916ab1407894fabd453735c10378a94d5c918b1fe66688d
-
C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txtFilesize
1KB
MD5cb1f074d0cfd8d98eac29be681033716
SHA180ebf7b708a0e76e57fc625812e74b5c5dcc5243
SHA2561dc66eb11dde0cba77980987620efdbb9109a9e8619bbc6752a0f1c0893af5a9
SHA512cd2ddbdf942b5da8306ba6a48e7741c2b6a48bc46ca619bf1f76095d015912a29ccce5f974b27a7011e25a7f74767154396778214dcbe99501f181dd90300f7b
-
C:\ProgramData\FileCenter\Settings\POLData_Lock.tmpFilesize
14B
MD5724deba0ee02aa7ad576295d784b1230
SHA1f4f36556c9babc24a278f5f2ddcce4bff6a64bc7
SHA256a98ebebe7123b54822d1250f6264dd8d971e47d5cc718fac967d2dd2374365ac
SHA5123855cea9f71c3905baa510a42cf397da2b9f4f27cd071246e72911e646d6f5ba93fb120cb1a2f4d3e6a73d3d5ec40afc6dfbfb9e495e9bb9a2296930b1702239
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AFilesize
893B
MD5d4ae187b4574036c2d76b6df8a8c1a30
SHA1b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA5121f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15AFilesize
252B
MD54ad669e3c7f7914cc5c30d13fad3df46
SHA10bebda762e6be6734c20db6f54d87414f0e052b4
SHA256796046b5d1352cad383eb323c394bb9ce99f5f5005037049ed3dbe3cc686aaea
SHA5123e3c6961b457ae53fd0fcdd86fe50c915718cb93ea3112cfc65969ecd63cd64106c34bd2ed5e3eafd407a666679440a145303bca700bc8004c053d39b2ce68ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
528B
MD5da83438d158b933976277ad761323980
SHA1d4cf8ec9df0e7ceb5f70a88f2eb2a7abbdcd0cee
SHA2567064b564fec6d96210af4a3f5a6b70411c423ae56aa027b4ba977fb14ca7ecdf
SHA512aec7c4aa65f59f72cb0c1471b3c1f13312f1a5961756a4b01f4a07f3c193cd55c963c8a8253613b796af2beebb55611cb51c65580358943305a42c049a46eda3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD57849aa7033299dc1286d2dfc536bf101
SHA1b88a4b97731056798b3888b9aefd161a0556fdd6
SHA2568204d4a7010118ad642348a9b0f9e9bbe046a9a4453a3b6b2e13613d466482ab
SHA512b475ce47e827d49010cb9a5f035d1b5eed5dd980f2b5dbe789168a578dbc4fcee421d9ea5a45646db4d8d9868a84924cf1a52124e6f8c07afccc0d397f856423
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5c646c1f4a0f94c752d68511a5343025d
SHA10e74f2145e4a78db8ed5556d42068a0ef7d5afba
SHA25657e1ae2cf1d6b2efd0f92bcaaaf04ca84cc66932a5e621d81f8092028af28df1
SHA512516e1ecb4f9d58600b41c487144ab09be60aac3acc629d65e01443a4327dbd5dc16a3899b91b77d191da62d0080d1b2a8b8c5b02a9cb1aefe2b9fa9d73b570ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD53e689c7db78bf7784109b603e7af307f
SHA1c5c64fec6b5e3740f235d106d3241d40f9fbd78d
SHA256f1b57325bfe21a98ac3ea2b337f21fca59ec842b216f1b75bc4104e682230206
SHA51261281ede365f78fc754ad5f6fd47fa1fc3971930ade07dc13be2b869c03028c66e8ee00084688646c9e5e52527d61c4a8ad4f775a83e279e929559db4d137373
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD569070d027d68e39cc05ff618c61a4eff
SHA13ca9a6251df5513b329204d80ddffc1fdbbd080b
SHA25642516a84d6093b65aa19f416763b6613d59618f51b79e5cb2fb07ba3eae14be1
SHA512a191fb160f40be50ba1454b16c4cd99ffa0f01730ae4b339491182d96292917e84692564beab42e6c03f138d823524558953a2204514a6fd105c6509d20bd07c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5615c46554caa87eddbaf73bf721387f5
SHA167407652489ba46d372a95555d18bff1d3eb1012
SHA2561e7a389c032ba61d5a6149360cf258a0a526df54baaeb95732811a092cef3c41
SHA5128a3a8fbf8c0f1875627309bd989c7daa2d28be1e9ec7b435f37436613979d1df5dd1d971dea19b3d4d1cc5bd4a59576384cb2b67799e28c3d42b45c7d5e9e7bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5dba9f91d586c5335c9aee469d068995b
SHA1327c9dca89c2c41ce9601fe04f579e73e503d67d
SHA256774b4ef7fddfffbc4d9b256439464515a75e75000b05126dd85fc27dce72bbe2
SHA5122103538053da22c84c1f296251d78144b9f990fea04027a4e01875085e29e97d31bae67245579dd854faadad03fc6342a456dd25875bd9d2d5b4bad5af5eb877
-
C:\Users\Admin\AppData\Local\Temp\TCD7BD5.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exeFilesize
8.7MB
MD5e9638374a27160513f1a62827b6cf102
SHA1b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f
SHA256c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942
SHA5129632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c
-
C:\Users\Admin\AppData\Local\Temp\is-91M4V.tmp\FileCenterSetup12.0.16.0.tmpFilesize
3.0MB
MD50acf3c16e6faca9c0aec525f53d03866
SHA15c3960b48d2b72ad02e59470d8a7b690ee826f9e
SHA2562c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151
SHA51217d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2
-
C:\Users\Admin\AppData\Local\Temp\prnInstaller.logFilesize
643B
MD59de11197276eb18aa2cce47e3888657d
SHA12ecf7738156bf72f06a1e49cf88e155e0c19db31
SHA256387c99721c1bd6dbcac840deb6bb29da1e4d36c4fe76cea520406fd6218952b1
SHA512203aa42b8b8a17dd44178d72ff79743a13041e62253757d35a2a07f46c5188ebe751b1f5a90f812f70c5fba40288ff265416b5b87ce199cb5af54f00c65e8f24
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
202B
MD5add56ec49f8f478e84a934606effef1c
SHA11262ae87ef755e40752740df90d21352d5fc81ec
SHA25622e509cf2b7202fc6b04c3d9a1b137477f11471d58a48c1f9514f89450217327
SHA512c095f193d221696f3b087c3f224a559ad0efe4852a5392c8a3ab03f80183beec2a8327892aa481c85f1bf8165b76a029555f250e0dd5f396c823feacff4c06f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD536b5b712dc444626bb107893c89352bd
SHA19b50019777f83a899810a37a8787af11e6f89e1b
SHA256706944e44a2d7f382822c1f84ccc685fd650a2a1db9e3f9c3bc309bf7b4de8aa
SHA512e1cf936da3b651cc346347ffd17759cdf5149fe7687be6dcf837ee5043d95d41096df846f411de4edb49466f115853682e3ab1f7bbded65a21e67c7ff622e4eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5041a6220fd5afc5afb7f30dbef9912b7
SHA162310d2c4add31d93342b087ad0e9140fc1bbb82
SHA25683ce0a6ce9b2a0240d69e6a14315601e78bd4ab45f791564a176c1dcc5a8ecff
SHA5128344b116ccb3a0e4f595d7b3f347145e1030a1d91cdac40d5091263034f91e007ca5c9dfcb202f9de2f4eb67622674b6a2ee7e9ae54ee7469fe7c52aea438a23
-
C:\Windows\Installer\MSI3261.tmpFilesize
1.3MB
MD55a36339a5bae618a2ef09d0adab0b602
SHA1437d251abdcfe4f9379c44336ff5b920df7a0fbf
SHA2562e1d52eec9169247f75b584f874617ea4702cf2fdf92a4306d84c354a0151674
SHA512cff119e5b719c8578d199b946fc213074d89195d63bf6cf00dc2c255cc66695d0062da2e916a22d4df4c1bb1e195f69df21c463d144ad9442defe7b3033ead2a
-
C:\Windows\Temp\{8BF8B4F5-10DD-43A0-A1EB-36291E3734E5}\.cr\vc_redist.x86.exeFilesize
632KB
MD586123c033231dd7e427d619ddeefd26a
SHA1608c085348fd9c4e124e6f28f0388ccdac6ab2b5
SHA256d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737
SHA512ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78
-
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\.ba\logo.pngFilesize
5KB
MD504967ef5107480ea36b3e2e97af7eb7a
SHA16efdd4484dcfcfd45b3c887c852f0abb1a02a645
SHA25663f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21
SHA51200ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581
-
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\.ba\wixstdba.dllFilesize
203KB
MD50ba387d66175c20452de372f8dbb79fe
SHA15411d41a7d88291b97fb9573eb6448c72e773b70
SHA2567b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33
SHA51213ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd
-
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\PkgLite64Filesize
2.6MB
MD5e91e50fc80f7d84561db5823595e5b63
SHA1b3e40b17a668586e86f346e9a7e3b8ef4838d437
SHA2563203656dcafaf1ae128dae78bab26829bf0c2c9e1c255a8ca15ed176651d8948
SHA512c9bb45c0882af7a2f5b6294fa2c29202ac529a6f1584e763a00c4812782f8274498a9c008ef0901dd67d895fd448e0eeb19a75cfe98bcd4c050c8856f97e5034
-
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab20036D21E40418DD3280D692958B9275Filesize
378KB
MD5bed8b8bddf71f7b921c8efac0eb69518
SHA1df2818992742ed4e80d28a94e1b0f43f280db455
SHA2563cbfff994fa8a50b2d89e0dc906eefaf50ea16b07acb8ed4478fb2b116fcb8a5
SHA5125699485985ea856d8ef3e97372e51c98eb81225c18ab5a851e1d8f574c0c9e77986563ad63e9b2118bd42edac0a39a46727306484be71af485955f9e818502d7
-
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab20F2A2993791BDD97B003B5578C7EAC7Filesize
2.3MB
MD5951b5426340de231c90e0be2780cc66e
SHA1fd6b966fd3270e53d8b1d660d69d4290b75b8a9d
SHA256afac74f4b16fbefff34daec002a027abab8d45b6113ce1fde320cbf2b8eec68d
SHA512038c0a171079502899366abf1101b173468a1a1997dafe94b6d217e26d5f6fec97e0d38fd4f7a70ef3d410dfdd18b7d93b3954776db3fc7ed9e91211492e0fb2
-
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab293E212B151FCAC5768C99D66AA8D9AEFilesize
1.8MB
MD5f7bd3fbb5859bd43e830b621c8ade037
SHA171838fa41b8906bdcb9a64eec599dafd25d92c6f
SHA256789ca746d45588380841494901a531abcf7a9a184f74af2cf049a77f489f4dc7
SHA51253dbfde654e6bdaaab257fc3968a50ee7b8e4641bdc739c55ce1697e869ac513a7f2dc72ab92074b062928d56ab6f8083c5fa8a71a16a2f6918cc52f73b81250
-
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab5DD1590118F3640F385DB3EB2F516E5CFilesize
17.1MB
MD5b8b961c9899ec926b1dd8258b0232626
SHA18ed4a38e4a7c856a427a068ec51539f2e630f86c
SHA256e9c26ae1625eb454e4cd78dd9ac145eeae94190f943b6fc72d250dc3acb703d7
SHA5125dbcdbaf86bb25029838b93fa5787d9833b3ac2e6861b3df405b7957f1e5355395bcc664f4a550d9d79a7d3f7d98ca740527d5a86ecd0bfe0df3e768016f1877
-
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab66549ACD4EE6139A64068CA8626575A9Filesize
1.5MB
MD5bf193f70c4ba12e12a592df1cdb17b40
SHA1e84a6d1cbcdc79926f7defef1ad4b7a8a651b5cb
SHA256cee91939598abb3ec23ce0dc93c7690421efdca54795997558ef0fc617442a82
SHA51223077213cb84b84096c93da33f3a23bda28bcda638ec3a9256f4ab064d8bf6f1e2860d32e6713716f35803db92fb30c4f07b0b2accccd914d7bcb75910b63d79
-
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab8D36E281ACA51D7FBE9AB973BE9B36E3Filesize
174KB
MD50102ec8e3aa2b964f2d7719dd00de809
SHA19a008c6acc5c70c8467621bf4a8e78930e2843a3
SHA256765cdd18ca4b9c8de8f16035ab46f740a9da9e628f24dbfe16800af41fa3122b
SHA512ee4f280449bcceb357290c1970914524fcb30931b240591cee3f540fbfe365a81f5d6201eee9e18598163f9be392062ee8cfcdf16d289c4bc2effa6061e69c94
-
C:\Windows\Temp\{B9A65458-4ABB-48C9-89F8-73D218627531}\.ba\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Windows\Temp\{B9A65458-4ABB-48C9-89F8-73D218627531}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
C:\Windows\Temp\{ED56CB5E-F2AA-49BD-A457-FDD2885C448B}\.cr\PDFXLite10.exeFilesize
1.4MB
MD563ed90cdd501829a2319f8cf86c52bd2
SHA1da198bec49015e98baa5b2cb91903f659e31dd37
SHA256529bcd90e571d51a19396cb457bf7eebecf494613030389fa7c5b25b8e42757f
SHA512d8cc05a5d481e17432125d21d58c2b32696c8b3e6632f911184292a0f0b24910e9dc5cc3ae2bdc6d87e478aef81504aa34520d3bd6813517e4b9347eee0eaa19
-
memory/500-694-0x000002942BFC0000-0x000002942E4AA000-memory.dmpFilesize
36.9MB
-
memory/500-717-0x000002940FA20000-0x000002940FA28000-memory.dmpFilesize
32KB
-
memory/500-718-0x00000294111A0000-0x00000294111C2000-memory.dmpFilesize
136KB
-
memory/500-683-0x000002940F3E0000-0x000002940F3F0000-memory.dmpFilesize
64KB
-
memory/1120-973-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1120-1034-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1216-1144-0x00000000027F0000-0x0000000003229000-memory.dmpFilesize
10.2MB
-
memory/1216-1172-0x0000000000ED0000-0x0000000002316000-memory.dmpFilesize
20.3MB
-
memory/1216-1178-0x00000000027F0000-0x0000000003229000-memory.dmpFilesize
10.2MB
-
memory/1244-29-0x0000000000FD0000-0x0000000001A66000-memory.dmpFilesize
10.6MB
-
memory/2256-572-0x00000000009F0000-0x00000000009F8000-memory.dmpFilesize
32KB
-
memory/2284-567-0x0000000010000000-0x00000000101C8000-memory.dmpFilesize
1.8MB
-
memory/2300-25-0x0000000000FD0000-0x0000000001A66000-memory.dmpFilesize
10.6MB
-
memory/2812-6-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/2812-262-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/2812-56-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/2812-27-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/2812-566-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/2812-15-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/2812-1036-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/2812-1039-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3068-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/3068-14-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3068-1040-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3068-0-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3188-584-0x0000000005870000-0x0000000005902000-memory.dmpFilesize
584KB
-
memory/3188-583-0x0000000005D20000-0x00000000062C4000-memory.dmpFilesize
5.6MB
-
memory/3188-676-0x0000000005BD0000-0x0000000005BD8000-memory.dmpFilesize
32KB
-
memory/3188-678-0x0000000006770000-0x0000000006792000-memory.dmpFilesize
136KB
-
memory/3188-579-0x0000000007A70000-0x0000000009F5A000-memory.dmpFilesize
36.9MB
-
memory/3188-575-0x0000000000A80000-0x0000000000A92000-memory.dmpFilesize
72KB
-
memory/3236-13-0x0000000000FD0000-0x0000000001A66000-memory.dmpFilesize
10.6MB
-
memory/3236-12-0x00000000038B0000-0x00000000038B1000-memory.dmpFilesize
4KB
-
memory/3412-977-0x0000000000330000-0x0000000000DC6000-memory.dmpFilesize
10.6MB
-
memory/3836-640-0x0000000000CA0000-0x000000000145B000-memory.dmpFilesize
7.7MB
-
memory/4024-675-0x0000000000330000-0x0000000000DC6000-memory.dmpFilesize
10.6MB
-
memory/4236-1033-0x0000000000400000-0x000000000052C000-memory.dmpFilesize
1.2MB
-
memory/4472-31-0x0000000000FD0000-0x0000000001A66000-memory.dmpFilesize
10.6MB
-
memory/4540-1143-0x0000000000330000-0x0000000000DC6000-memory.dmpFilesize
10.6MB
-
memory/4732-724-0x0000000000330000-0x0000000000DC6000-memory.dmpFilesize
10.6MB
-
memory/4732-972-0x0000000000330000-0x0000000000DC6000-memory.dmpFilesize
10.6MB
-
memory/4956-1297-0x0000000000910000-0x0000000001F28000-memory.dmpFilesize
22.1MB
-
memory/4956-1449-0x0000000000910000-0x0000000001F28000-memory.dmpFilesize
22.1MB
-
memory/4956-1041-0x0000000001F30000-0x0000000002969000-memory.dmpFilesize
10.2MB
-
memory/4956-1138-0x0000000001F30000-0x0000000002969000-memory.dmpFilesize
10.2MB
-
memory/4956-1137-0x0000000000910000-0x0000000001F28000-memory.dmpFilesize
22.1MB
-
memory/4956-1189-0x0000000000910000-0x0000000001F28000-memory.dmpFilesize
22.1MB
-
memory/4956-1471-0x00000000711C0000-0x00000000711C1000-memory.dmpFilesize
4KB
-
memory/5876-1437-0x0000000002AC0000-0x00000000034F9000-memory.dmpFilesize
10.2MB
-
memory/6052-1456-0x00007FFF76650000-0x00007FFF76660000-memory.dmpFilesize
64KB
-
memory/6052-1470-0x00007FFF744E0000-0x00007FFF744F0000-memory.dmpFilesize
64KB
-
memory/6052-1460-0x00007FFF744E0000-0x00007FFF744F0000-memory.dmpFilesize
64KB
-
memory/6052-1459-0x00007FFF76650000-0x00007FFF76660000-memory.dmpFilesize
64KB
-
memory/6052-1458-0x00007FFF76650000-0x00007FFF76660000-memory.dmpFilesize
64KB
-
memory/6052-1455-0x00007FFF76650000-0x00007FFF76660000-memory.dmpFilesize
64KB
-
memory/6052-1457-0x00007FFF76650000-0x00007FFF76660000-memory.dmpFilesize
64KB