df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9

Resubmissions

25-06-2024 14:19

240625-rm6bxsvdkb 6

21-06-2024 15:11

240621-sknjrsygjm 6

17-06-2024 17:09

240617-vn6wmawhlb 10

14-06-2024 13:23

240614-qmxjcawdmm 10

Analysis

max time kernel
497s
max time network
448s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FileCenterSetup12.0.16.0.exe
Size

300.4MB
MD5

123556b83a3dad2f59e76602768e9536
SHA1

b402ded286fff73aaf9b32f075bc32029da6d461
SHA256

df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9
SHA512

bc8dc366b404756a55ab40b66bbcccc8d8b366b0f34938c14324d994118602f0be876eaa61234c18eef7ae4e797789da8dd996f023f0f67c0e053e8022dd3506
SSDEEP

6291456:f7u0oceu41pUlsFqvFyeGCIOo7qgB5Fapf5NN9nAug:T9r4vXi5IOyJmfAx

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FileCenterSetup12.0.16.0.tmpPDFXLite10.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAgent.exe"	FileCenterSetup12.0.16.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FileCenterAutomateAgent = "C:\\Program Files (x86)\\FileCenter\\Main\\FileCenterAutomateAgent.exe"	FileCenterSetup12.0.16.0.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{3780ab31-c524-4f3b-a4db-79d692700a62} = "\"C:\\ProgramData\\Package Cache\\{3780ab31-c524-4f3b-a4db-79d692700a62}\\PDFXLite10.exe\" /burn.runonce"	PDFXLite10.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

50 5112 msiexec.exe
52 5112 msiexec.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

MsiExec.exe

description ioc process

File opened for modification C:\Users\Public\Desktop\desktop.ini MsiExec.exe

flow	pid	process
50	5112	msiexec.exe
52	5112	msiexec.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FileCenterUtils.exeFileCenter.exeFileCenterAgent.exeFileCenterUtils.exeGdPictureComReg.exeFileCenterUtils.exePDFXLite10.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FileCenterUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FileCenter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FileCenterAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FileCenterUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	GdPictureComReg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	FileCenterUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	PDFXLite10.exe

Drops file in System32 directory 10 IoCs

Processes:

splwow64.exePrnInstaller.exeprninstaller.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\pxcpmL.dll	PrnInstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll	PrnInstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pxcdrv.xml	PrnInstaller.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\pxcdrvL.dll	PrnInstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PXC50UIf.DLL	prninstaller.exe
File opened for modification	C:\Windows\system32\pxcpmL.dll	PrnInstaller.exe
File created	C:\Windows\system32\pxc50pm.dll	prninstaller.exe
File opened for modification	C:\Windows\system32\pxc50pm.dll	prninstaller.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PXC50f.DLL	prninstaller.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpmsiexec.exePDFX5SA_sm.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\FileCenter\Main\Perceptive.DocumentFilters.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-8Q4BU.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Tracker Software\Vault\XCVault.exe	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-K3PRQ.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Help\is-B0UCI.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.zh-CN.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\is-06TEJ.tmp	PDFX5SA_sm.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-SUK7Q.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-V8TD6.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.pt-BR.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Uninstall\FileCenter\unins000.dat	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-EGD62.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.ar-SA.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\EZT4Ocr.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-VC254.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.he-IL.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Main\is-1M0FI.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.nl-NL.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Main\is-MJ08F.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-U6KGK.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-2ON21.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-VJ041.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-DHFSK.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.id-ID.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsnet15.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrspng15.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Tips\is-OEDGF.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-CP7II.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-DJ6NE.tmp	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineSI.exe	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-14IVA.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-LHJK5.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Plugins.x86\is-IO4M4.tmp	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\ISYS11df.dll	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\EZT4Gif.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\IRIS\is-C5NU0.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.sr-Latn-RS.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterAddin64.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-T32FV.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.sv-SE.xcl	msiexec.exe
File created	C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Main\is-U7E3T.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\GdOCR\is-B37KA.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\Samples\is-LTMGC.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\TrackerUpdate.de-DE.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.az-Latn-AZ.xcl	msiexec.exe
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\pdfSaver.it-IT.xcl	msiexec.exe
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsocr15.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\fonts\is-A6M1D.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-4F1N6.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-N479V.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-QDMB5.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-4NEQI.tmp	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Help\fc-scan.chm	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineRI.exe	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\FileCenterOCREngineTR.exe	FileCenterSetup12.0.16.0.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\IRIS\idrsdmtx15.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-F999M.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files\Common Files\Tracker Software\Common\Languages\DriverUI.sw-KE.xcl	msiexec.exe
File created	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\is-7L2AT.tmp	PDFX5SA_sm.tmp
File opened for modification	C:\Program Files (x86)\FileCenter\Main\EZT4Curl.dll	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Main\is-UEAIO.tmp	FileCenterSetup12.0.16.0.tmp
File created	C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\Temp\x64\is-4V5RH.tmp	PDFX5SA_sm.tmp

Drops file in Windows directory 20 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI32A0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32B1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI342B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI363F.tmp	msiexec.exe
File created	C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI36DC.tmp	msiexec.exe
File created	C:\Windows\Installer\e5930ab.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3261.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3409.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E70.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F4B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5930ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI341A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{6318D993-1BE8-4BE4-B9E9-D6BFED11A071}\AppIco	msiexec.exe
File created	C:\Windows\Installer\e5930af.msi	msiexec.exe

Executes dropped EXE 32 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeGdPictureComReg.exevc_redist.x86.exevc_redist.x86.exeFileCenterAutomateService.exeFileCenterUtils.exePDFXLite10.exePDFXLite10.exePDFXLite10.exePrnInstaller.exepdfSaverL.exepdfSaverL.exeFileCenterUtils.exePDFX5SA_sm.exePDFX5SA_sm.tmpprninstaller.exepdfSaver5.exeXCVault.exeFileCenter.exepdfSaverL.exepdfSaverL.exeFileCenterUtils.exeFileCenterAgent.exeFileCenterAgent.exeFileCenterInjector32.exepdfSaverL.exe

pid	process
2812	FileCenterSetup12.0.16.0.tmp
3236	FileCenterUtils.exe
2300	FileCenterUtils.exe
1244	FileCenterUtils.exe
4472	FileCenterUtils.exe
4024	FileCenterUtils.exe
2256	GdPictureComReg.exe
4108	vc_redist.x86.exe
1824	vc_redist.x86.exe
3836	FileCenterAutomateService.exe
4732	FileCenterUtils.exe
1348	PDFXLite10.exe
2840	PDFXLite10.exe
4412	PDFXLite10.exe
3156	PrnInstaller.exe
1752
1872	pdfSaverL.exe
5032	pdfSaverL.exe
3412	FileCenterUtils.exe
1120	PDFX5SA_sm.exe
4236	PDFX5SA_sm.tmp
3744	prninstaller.exe
3612	pdfSaver5.exe
3192	XCVault.exe
4956	FileCenter.exe
3464	pdfSaverL.exe
220	pdfSaverL.exe
4540	FileCenterUtils.exe
1216	FileCenterAgent.exe
5876	FileCenterAgent.exe
3000	FileCenterInjector32.exe
1812	pdfSaverL.exe

Loads dropped DLL 47 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregasm.exevc_redist.x86.exePDFXLite10.exeMsiExec.exeMsiExec.exePDFX5SA_sm.tmpFileCenter.exeFileCenterAgent.exeFileCenterAgent.exesplwow64.exepdfSaverL.exe

pid	process
532	regsvr32.exe
1952	regsvr32.exe
4260	regsvr32.exe
2284	regsvr32.exe
1736	regsvr32.exe
1368	regsvr32.exe
1368	regsvr32.exe
3188	regasm.exe
3188	regasm.exe
3188	regasm.exe
3188	regasm.exe
1824	vc_redist.x86.exe
2840	PDFXLite10.exe
1824	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
1824	MsiExec.exe
4116	MsiExec.exe
4116	MsiExec.exe
1824	MsiExec.exe
4236	PDFX5SA_sm.tmp
1752
1752
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe
1216	FileCenterAgent.exe
1216	FileCenterAgent.exe
5876	FileCenterAgent.exe
5876	FileCenterAgent.exe
4956	FileCenter.exe
4136	splwow64.exe
212
4136	splwow64.exe
1812	pdfSaverL.exe
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Kills process with taskkill 25 IoCs

evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exe

pid	process
4080	TASKKILL.exe
656	TASKKILL.exe
2576	TASKKILL.exe
4988	TASKKILL.exe
4732	TASKKILL.exe
4348	TASKKILL.exe
3720	TASKKILL.exe
3124	TASKKILL.exe
5052	TASKKILL.exe
2116	TASKKILL.exe
2252	TASKKILL.exe
2868	TASKKILL.exe
2204	TASKKILL.exe
3744	TASKKILL.exe
2140	TASKKILL.exe
2792	TASKKILL.exe
1456	TASKKILL.exe
4792	TASKKILL.exe
3068	TASKKILL.exe
3724	TASKKILL.exe
4560	TASKKILL.exe
3540	TASKKILL.exe
3808	TASKKILL.exe
3464	TASKKILL.exe
3184	TASKKILL.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exePDFX5SA_sm.tmp

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}	PDFX5SA_sm.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppName = "pdfSaver5.exe"	PDFX5SA_sm.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\AppPath = "C:\\Program Files (x86)\\FileCenter\\Drivers\\PDF-XChange 5\\"	PDFX5SA_sm.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ABA61947-63DA-4A87-A926-786EB7A10B40}\Policy = "3"	PDFX5SA_sm.tmp
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppName = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\pdfSaverL.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8F1C58E0-2797-4EB7-A74A-397B24BB769D}\AppPath = "C:\\Program Files\\Tracker Software\\PDF-XChange Lite\\"	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 64 IoCs

Processes:

regasm.exeregsvr32.exeregasm.exeregsvr32.exeregsvr32.exemsiexec.exepdfSaver5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\ProgId	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B1C806E-791F-4D81-AD28-28C84A7F9626}\ = "IObjCollection"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A79755A3-8507-48EE-A616-611BB01CF94B}\TypeLib	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2149EA7-B58E-378B-8E52-70645A0BEC94}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{718C8EE7-1EEF-4717-8E60-C3661B610550}\ProgId	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dten600.FileConverter	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B55EFD3A-7639-45F0-A33E-12971B7DAAB7}\ = "IUIX_RangesNavigator"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2CB39873-DF95-333A-B652-AB54100BD735}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D726366D-34D6-49FC-A341-7B84C54CCA3E}\ = "IPXV_Inst"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14587E1E-35FA-4716-AE19-A18E355EFA17}\TypeLib\Version = "e.2"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3074C30-3837-31AA-81D3-8AB09BDFC431}\TypeLib\ = "{B5893B58-701E-4110-9871-1DA14CF9C1DC}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{09EA018A-8293-38A7-816E-0251F9E09C9B}\TypeLib\Version = "e.2"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFE955F3-4ADE-4C79-B40A-8DD1955A328F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D615A9E-73D4-4FEF-A0DA-6973C26C17B2}\ = "ISearchFilter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237F6B6F-DAB7-4230-B2E9-49D5C6AB9243}\ = "IUIX_ContextHelpHandler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91F594C1-7C1A-465D-BC9C-004E2FD7C6C4}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F656181-7551-47DC-8A8A-7BB562F91A6F}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1E506401-16B8-3FD1-86A0-4C22389BCEB2}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{264197D5-6440-3006-8548-E33267CA93BA}\14.2.69.0\Class = "GdPicture14.TwainPixelType"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C577CE3-F5BD-4AC5-B52D-76264D51D578}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0265291-1DFC-4377-B60D-7AE9CA536A73}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49237A9D-448A-484D-9036-73E1E6C36628}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{AE9FE02C-2917-3CDF-83C6-040C869E2504}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{014302D9-4DE6-397A-8DE9-F470BD0254A8}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{516A4C96-825D-3A42-8C62-0ECE20DE935D}	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97AC7381-9417-323E-8AAE-234B95A6157B}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B44473C2-B0B0-38C6-AD26-DC7F2B91FDA3}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C023D333-1DE2-3611-8A05-5D48816051B9}\TypeLib\Version = "e.2"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3D50468D-69C9-365A-A899-AB61D669F22C}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CEB68BB-FEF5-3F6C-9F82-7C6B1F524A3F}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3AB685D-A017-34B0-B2B6-08EE7121AF3C}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D8DD4B1-B719-303C-8F01-7C00B4A93B1F}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EE9072C9-4757-39C3-85B2-55DA35698A58}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B539001-204C-4960-9AE6-9246D044961F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6B868CDB-BBBB-37C8-8FDB-9CBDDD8F7B1F}\14.2.69.0	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1CB9426-FA08-4829-8470-C8C7FF7F7A00}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8934FF21-97DD-3A3A-A58D-327BAA701B1E}\14.2.69.0\CodeBase = "file:///C:/Program Files (x86)/FileCenter/Main/GdPicture.NET.14.DLL"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B430FB9-7FBB-4645-94BC-76E917FFCE42}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A7F1FD3-FC4C-40C1-AF2C-D25CBB527C8E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{681F0BA3-6BEA-37FA-9AD5-4AD97E322866}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFA5BEFF-8BDD-4AE1-AD40-6D11FAD0CA1C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F64923D-567C-4603-82D9-1AAABB307C20}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C0996724-EA4D-3ECE-AFA2-E67E6B91B5E6}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\87E34BDCB0E3B234F8E631EF56D3CC43	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{697DF026-B24E-11D3-B57C-00105AA461D0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A46B9230-3A18-3180-9BA9-1D063B9DB1B7}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6E200759-C46D-3822-A83A-11C96FC94477}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FE1F915C-17D3-35EB-BB14-24CEC02931D3}\14.2.69.0\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{607DAA74-906B-3146-999C-F4688F1E354D}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F6F8356-1AB8-40AD-81E4-E1E3E71B4BCD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{607DAA74-906B-3146-999C-F4688F1E354D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBED514A-A877-398F-AE2A-A1EDE5F43724}\InprocServer32\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17AA9FC1-A869-38F0-A7FF-A720437AD51D}\14.2.69.0\Assembly = "GdPicture.NET.14, Version=14.2.69.0, Culture=neutral, PublicKeyToken=f52a2e60ad468dbb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71300D43-687F-436A-A699-2B37448D0803}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{759D3976-86EC-378D-BF99-6EA0E85A98ED}\14.2.69.0	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E5C6F2A3-9E94-3BAD-901A-ECAF82AC0D62}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DF179B8-96F1-4F3E-9338-DFEEB61B810A}\VersionIndependentProgID\ = "TrackerUpdateSrvLib.TrackerUpdateObj"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{73D6873C-BD16-49E6-A160-81D847A24DF7}	pdfSaver5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EBB31E2-2E6A-4463-B53B-EA7C502D564D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF87328C-B7C8-4FC8-8DE6-043E83F25A17}\ = "_IPXV_ControlEvents"	regsvr32.exe

Suspicious behavior: AddClipboardFormatListener 5 IoCs

Processes:

WINWORD.EXEWINWORD.EXEFileCenter.exe

pid process

6052 WINWORD.EXE
6052 WINWORD.EXE
4496 WINWORD.EXE
4496 WINWORD.EXE
4956 FileCenter.exe

pid	process
6052	WINWORD.EXE
6052	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4956	FileCenter.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

FileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeregsvr32.exeFileCenterAutomateService.exeFileCenterUtils.exemsiexec.exeMsiExec.exeFileCenterUtils.exePDFX5SA_sm.tmpFileCenter.exeFileCenterUtils.exeFileCenterAgent.exemsedge.exemsedge.exeidentity_helper.exeFileCenterAgent.exeFileCenterInjector32.exe

pid	process
3236	FileCenterUtils.exe
3236	FileCenterUtils.exe
2300	FileCenterUtils.exe
2300	FileCenterUtils.exe
1244	FileCenterUtils.exe
1244	FileCenterUtils.exe
2812	FileCenterSetup12.0.16.0.tmp
2812	FileCenterSetup12.0.16.0.tmp
4472	FileCenterUtils.exe
4472	FileCenterUtils.exe
4024	FileCenterUtils.exe
4024	FileCenterUtils.exe
1368	regsvr32.exe
1368	regsvr32.exe
3836	FileCenterAutomateService.exe
3836	FileCenterAutomateService.exe
4732	FileCenterUtils.exe
4732	FileCenterUtils.exe
5112	msiexec.exe
5112	msiexec.exe
1824	MsiExec.exe
1824	MsiExec.exe
3412	FileCenterUtils.exe
3412	FileCenterUtils.exe
4236	PDFX5SA_sm.tmp
4236	PDFX5SA_sm.tmp
4956	FileCenter.exe
4956	FileCenter.exe
4540	FileCenterUtils.exe
4540	FileCenterUtils.exe
1216	FileCenterAgent.exe
1216	FileCenterAgent.exe
4944	msedge.exe
4944	msedge.exe
4024	msedge.exe
4024	msedge.exe
4336	identity_helper.exe
4336	identity_helper.exe
5876	FileCenterAgent.exe
5876	FileCenterAgent.exe
3000	FileCenterInjector32.exe
3000	FileCenterInjector32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4024 msedge.exe
4024 msedge.exe
4024 msedge.exe
4024 msedge.exe
4024 msedge.exe
4024 msedge.exe
4024 msedge.exe

pid	process
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe

Suspicious behavior: SetClipboardViewer 8 IoCs

Processes:

FileCenter.exeFileCenterAgent.exeFileCenterAgent.exe

pid	process
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe
1216	FileCenterAgent.exe
1216	FileCenterAgent.exe
5876	FileCenterAgent.exe
5876	FileCenterAgent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4988	TASKKILL.exe
Token: SeDebugPrivilege	2868	TASKKILL.exe
Token: SeDebugPrivilege	656	TASKKILL.exe
Token: SeDebugPrivilege	2576	TASKKILL.exe
Token: SeDebugPrivilege	2792	TASKKILL.exe
Token: SeDebugPrivilege	3724	TASKKILL.exe
Token: SeDebugPrivilege	5052	TASKKILL.exe
Token: SeDebugPrivilege	3184	TASKKILL.exe
Token: SeDebugPrivilege	3744	TASKKILL.exe
Token: SeDebugPrivilege	4792	TASKKILL.exe
Token: SeDebugPrivilege	1456	TASKKILL.exe
Token: SeDebugPrivilege	2204	TASKKILL.exe
Token: SeDebugPrivilege	2116	TASKKILL.exe
Token: SeDebugPrivilege	4560	TASKKILL.exe
Token: SeBackupPrivilege	2744	vssvc.exe
Token: SeRestorePrivilege	2744	vssvc.exe
Token: SeAuditPrivilege	2744	vssvc.exe
Token: SeShutdownPrivilege	4412	PDFXLite10.exe
Token: SeIncreaseQuotaPrivilege	4412	PDFXLite10.exe
Token: SeSecurityPrivilege	5112	msiexec.exe
Token: SeCreateTokenPrivilege	4412	PDFXLite10.exe
Token: SeAssignPrimaryTokenPrivilege	4412	PDFXLite10.exe
Token: SeLockMemoryPrivilege	4412	PDFXLite10.exe
Token: SeIncreaseQuotaPrivilege	4412	PDFXLite10.exe
Token: SeMachineAccountPrivilege	4412	PDFXLite10.exe
Token: SeTcbPrivilege	4412	PDFXLite10.exe
Token: SeSecurityPrivilege	4412	PDFXLite10.exe
Token: SeTakeOwnershipPrivilege	4412	PDFXLite10.exe
Token: SeLoadDriverPrivilege	4412	PDFXLite10.exe
Token: SeSystemProfilePrivilege	4412	PDFXLite10.exe
Token: SeSystemtimePrivilege	4412	PDFXLite10.exe
Token: SeProfSingleProcessPrivilege	4412	PDFXLite10.exe
Token: SeIncBasePriorityPrivilege	4412	PDFXLite10.exe
Token: SeCreatePagefilePrivilege	4412	PDFXLite10.exe
Token: SeCreatePermanentPrivilege	4412	PDFXLite10.exe
Token: SeBackupPrivilege	4412	PDFXLite10.exe
Token: SeRestorePrivilege	4412	PDFXLite10.exe
Token: SeShutdownPrivilege	4412	PDFXLite10.exe
Token: SeDebugPrivilege	4412	PDFXLite10.exe
Token: SeAuditPrivilege	4412	PDFXLite10.exe
Token: SeSystemEnvironmentPrivilege	4412	PDFXLite10.exe
Token: SeChangeNotifyPrivilege	4412	PDFXLite10.exe
Token: SeRemoteShutdownPrivilege	4412	PDFXLite10.exe
Token: SeUndockPrivilege	4412	PDFXLite10.exe
Token: SeSyncAgentPrivilege	4412	PDFXLite10.exe
Token: SeEnableDelegationPrivilege	4412	PDFXLite10.exe
Token: SeManageVolumePrivilege	4412	PDFXLite10.exe
Token: SeImpersonatePrivilege	4412	PDFXLite10.exe
Token: SeCreateGlobalPrivilege	4412	PDFXLite10.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe
Token: SeTakeOwnershipPrivilege	5112	msiexec.exe
Token: SeRestorePrivilege	5112	msiexec.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

FileCenterSetup12.0.16.0.tmpPDFX5SA_sm.tmpFileCenterAgent.exemsedge.exeFileCenterAgent.exepdfSaverL.exe

pid	process
2812	FileCenterSetup12.0.16.0.tmp
4236	PDFX5SA_sm.tmp
4236	PDFX5SA_sm.tmp
1216	FileCenterAgent.exe
1216	FileCenterAgent.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
5876	FileCenterAgent.exe
1812	pdfSaverL.exe
1812	pdfSaverL.exe
1812	pdfSaverL.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

FileCenterAgent.exemsedge.exeFileCenterAgent.exepdfSaverL.exe

pid	process
1216	FileCenterAgent.exe
1216	FileCenterAgent.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
5876	FileCenterAgent.exe
1812	pdfSaverL.exe
1812	pdfSaverL.exe
1812	pdfSaverL.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

FileCenter.exeFileCenterAgent.exeFileCenterAgent.exeWINWORD.EXEpdfSaverL.exeWINWORD.EXE

pid	process
4956	FileCenter.exe
4956	FileCenter.exe
4956	FileCenter.exe
1216	FileCenterAgent.exe
5876	FileCenterAgent.exe
6052	WINWORD.EXE
6052	WINWORD.EXE
6052	WINWORD.EXE
6052	WINWORD.EXE
6052	WINWORD.EXE
6052	WINWORD.EXE
6052	WINWORD.EXE
6052	WINWORD.EXE
6052	WINWORD.EXE
6052	WINWORD.EXE
1812	pdfSaverL.exe
6052	WINWORD.EXE
6052	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE
4496	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FileCenterSetup12.0.16.0.exeFileCenterSetup12.0.16.0.tmpFileCenterUtils.exeFileCenterUtils.exeFileCenterUtils.exe

description	pid	process	target process
PID 3068 wrote to memory of 2812	3068	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 3068 wrote to memory of 2812	3068	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 3068 wrote to memory of 2812	3068	FileCenterSetup12.0.16.0.exe	FileCenterSetup12.0.16.0.tmp
PID 2812 wrote to memory of 3236	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 3236	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 3236	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 2300	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 2300	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 2300	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 1244	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 1244	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 1244	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 1244 wrote to memory of 3724	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 3724	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 3724	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 2792	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 2792	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 2792	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 656	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 656	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 656	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 5052	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 5052	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 5052	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 2576	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 2576	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 2576	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 2868	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 2868	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 2868	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 4988	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 4988	1244	FileCenterUtils.exe	TASKKILL.exe
PID 1244 wrote to memory of 4988	1244	FileCenterUtils.exe	TASKKILL.exe
PID 2812 wrote to memory of 4472	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 4472	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 4472	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4472 wrote to memory of 2116	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 2116	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 2116	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 1456	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 1456	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 1456	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 3184	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 3184	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 3184	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 2204	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 2204	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 2204	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 3744	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 3744	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 3744	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 4792	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 4792	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 4792	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 4560	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 4560	4472	FileCenterUtils.exe	TASKKILL.exe
PID 4472 wrote to memory of 4560	4472	FileCenterUtils.exe	TASKKILL.exe
PID 2812 wrote to memory of 4024	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 4024	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 2812 wrote to memory of 4024	2812	FileCenterSetup12.0.16.0.tmp	FileCenterUtils.exe
PID 4024 wrote to memory of 532	4024	FileCenterUtils.exe	regsvr32.exe
PID 4024 wrote to memory of 532	4024	FileCenterUtils.exe	regsvr32.exe
PID 4024 wrote to memory of 532	4024	FileCenterUtils.exe	regsvr32.exe
PID 4024 wrote to memory of 2256	4024	FileCenterUtils.exe	GdPictureComReg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\is-91M4V.tmp\FileCenterSetup12.0.16.0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-91M4V.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$F002A,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtilsInfo.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtilsInfo.ini"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe" -CLOSEALL
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterPortal.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReceipts.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReports.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe
"C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe" -INSTBEG
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterPortal.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReceipts.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterReports.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:532

C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe
"C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb
5⤵
- Loads dropped DLL
- Modifies registry class
PID:3188

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb
5⤵
- Modifies registry class
PID:500

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1952

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"
4⤵
- Loads dropped DLL
PID:4260

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"
4⤵
- Loads dropped DLL
PID:2284

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1736

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe
"C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart
4⤵
- Executes dropped EXE
PID:4108

C:\Windows\Temp\{8BF8B4F5-10DD-43A0-A1EB-36291E3734E5}\.cr\vc_redist.x86.exe
"C:\Windows\Temp\{8BF8B4F5-10DD-43A0-A1EB-36291E3734E5}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824

C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3836

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"
4⤵
- Executes dropped EXE
PID:1348

C:\Windows\Temp\{ED56CB5E-F2AA-49BD-A457-FDD2885C448B}\.cr\PDFXLite10.exe
"C:\Windows\Temp\{ED56CB5E-F2AA-49BD-A457-FDD2885C448B}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=544 -burn.filehandle.self=548 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2840

C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\.be\PDFXLite10.exe
"C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{262A7465-C6F0-497B-911B-DC855D9C73BB} {B4CAC3C0-771E-4082-95B3-BD17FCCF3556} 2840
6⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"
4⤵
- Executes dropped EXE
PID:1872

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"
4⤵
- Executes dropped EXE
PID:5032

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3412

C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"
4⤵
- Executes dropped EXE
PID:1120

C:\Users\Admin\AppData\Local\Temp\is-V9GRA.tmp\PDFX5SA_sm.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V9GRA.tmp\PDFX5SA_sm.tmp" /SL5="$8022C,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"
5⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4236

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "
6⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:3744

C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe
"C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer
6⤵
- Executes dropped EXE
- Modifies registry class
PID:3612

C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe
"C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install
6⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:396

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 9FD8740C1CB9A40353971547F983CAAF
2⤵
- Drops desktop.ini file(s)
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 749E251B05D11BF5DF1D2B0E40F2B789 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:4116

C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"
2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:3156

C:\Program Files (x86)\FileCenter\Main\FileCenter.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenter.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"
2⤵
- Executes dropped EXE
PID:3464

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"
2⤵
- Executes dropped EXE
PID:220

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:4732

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:2252

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:4348

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3720

C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -OLOFF
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4540

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterScanner.exe
2⤵
- Kills process with taskkill
PID:2140

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterAgent.exe
2⤵
- Kills process with taskkill
PID:4080

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.filecenter.com/action.php?Action=Welcome&Refresh=1&ProductKey=&KeyID=-1&PTID=1&SourceID=-1&CustomID=-1&VerID=-1&PartnerID=0&WelcomeID=0&Version=12.0.16.0&CN=OBJIYUIE&UN=Admin&Trial=0&DaysLeft=0&s=&cnt1=&cnt2=&cnt3=&cnt4=&cnt5=&cnt6=&cnt7=&cnt8=&cnt9=&x=1235
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff986346f8,0x7fff98634708,0x7fff98634718
3⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
3⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
3⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
3⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
3⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
3⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4972 /prefetch:8
3⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
3⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
3⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
3⤵
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
3⤵
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,351111366843230855,11012466195112894003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
3⤵
PID:4036

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3540

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3808

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3124

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3068

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /T /IM FileCenterThumbs.exe
2⤵
- Kills process with taskkill
PID:3464

C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterAgent.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5876

C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe
"C:\Program Files (x86)\FileCenter\Main\FileCenterInjector32.exe" 4956
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3000

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6052

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
- Drops file in System32 directory
- Loads dropped DLL
PID:4136

C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
"C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Documents\CompressCopy.dotx"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x384 0x448
1⤵
PID:3296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5930ae.rbs
Filesize
35KB

MD5
b971aa3d133dee2372809e1f07d674d8

SHA1
3988b77dfab2b0127bc1f65cda3525906bf20260

SHA256
cb3178d32cf0947ebd0b582a569c04ebe3844230194c7e30a3f5947b3d8ed425

SHA512
8b60da804d0d3434ab716a331bd4e52b1761d40b6c60bf1e6f73a12797ad1f77431ebd2e25f0daef7b3ab35027aace4b849034c2f3b3d5193d73cb9e28d9191b

Download Submit
C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll
Filesize
593KB

MD5
2fbf69d014ae135d473ec8243d44be9e

SHA1
2c28d3b23d8ff061ae554ccd92aec93900e3cb2b

SHA256
6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3

SHA512
530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

Download Submit
C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe
Filesize
40.5MB

MD5
4c61ee01d5b84db67c38c10d3f210f39

SHA1
844eab66505dc4eb88dec70c3f20307365c350ac

SHA256
a7e10bda5cb2e1c347b2ee682385fd56ff5da05c659c665abc0b526f639a5583

SHA512
a44a2bd871c9f0f654b0e627accc9d4388390e5e5b7326a3372a103886d74b89ab78e235e1b986da9acf0f08fdf45b642ec26000bbe32de92a44b1978f4c2f80

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenter.exe
Filesize
20.1MB

MD5
879d5b401a73cc57a3166ba01ce70c60

SHA1
ee8b47af48514a3b65f4ee838c95e7a3a64d3434

SHA256
82da544c9d730c17c34a253c29fd7d621e8cdc064e0220c27e43bb0dd60c4ebe

SHA512
6e49343acca8ab878b4cf9e12ce4d796decd7f44c7068f8d90f5ad2eebbab31c15c82bbf66bcb571120a9bf8e375055558308d00b66053591c6ec94fb514b3b6

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll
Filesize
13.0MB

MD5
2b9bbd88d6b6a3b7c417cbb0eae69bf4

SHA1
c43ab9fa5c1085ba21280d143f8b8322d6a93883

SHA256
1e5f8dbd4c08faf3a0a84b6af17454d9d21459618b411696b9604af80ee9fc0f

SHA512
f07ae3e76066960a3b657146b83da724ca13873edd82d7314d048593c3e6021ced3297459d46a30daf95189631bfd4c941e44d91433549dcc70efb5407543a30

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini
Filesize
27B

MD5
70da425f8aac14b1484047edb83e60e8

SHA1
69d09199af5a5ba4ed4e1d59432fec784d5271e4

SHA256
258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f

SHA512
a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

Download Submit
C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe
Filesize
7.7MB

MD5
42d9ffbb0b7ef3cbdeb0c005619b12fb

SHA1
fbaed95c25aa26c43121e8421b5154e9e5dcdca0

SHA256
59e5b75c18c82acf2d94a1fd9b0a67af6795d594e1f837df1a80eec66671d307

SHA512
c77b91ca41b13bb471ced5346f998805430a33e210c09c0d7e0b0a7573d9e95da1bc5e351df08c871e1c3e962b3ec4b9fdb5ef5cc806fd87ef42f50ddd99d7cb

Download Submit
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll
Filesize
36.9MB

MD5
d9806fd0eeafd9f89e0473ad52889283

SHA1
d6fca558897aaa6703129557e2d02b1a84765dcb

SHA256
aa2aafe588aecd1a10bf05dcd675143061a55bcd5bc83bd749bde7b85d21dbc6

SHA512
796c609dc6fa4c6fe1e6909ae3a4a22cc06c900f34b999d77a9805767f69f1b1d96a99e9ee03ad6ab68e7f6bb5fa3269c1d73db4af68a2834bfd5cbf2fe91422

Download Submit
C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlb
Filesize
476KB

MD5
2e2fec3824de1d97f552892ec1ccaab5

SHA1
1c0443d5ed9dfe32bfb9239a46b553323c81c9af

SHA256
077e7be04b67f86445e1e386ee31f788ee477fff5915bd4b6113c2da7fc8c86d

SHA512
78ab6844ae2f44125b893f556232bda079f709d6284d3126c6461ff84a4290f01c6f779f22a9f07cb09a96d5893d5400dd1512923ec89a5a3779d81333ecadb7

Download Submit
C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe
Filesize
21KB

MD5
b9718823c993fccb6352cc0210993569

SHA1
4d551f7cafd0040ff9657ca644c1365f3e7847ae

SHA256
a173ba320929c93b9bf41186a0692d753da812b8691dcc416c16abdf004dbf89

SHA512
6e513ef7535539cff90e88b95c5f57bb9e262cebbf1e51bc8268595347fbf06f628cf16eaa974d7eccd2a285ff2f8f56867c4292c1fe4fb7b0ee90f5acee9747

Download Submit
C:\Program Files (x86)\FileCenter\Main\VSTwain.dll
Filesize
573KB

MD5
13f5f7e228ce2b8a3a41dbad4e451279

SHA1
1b3837572602b2620b75bf2ad2aeab89a64f5287

SHA256
11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292

SHA512
24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

Download Submit
C:\Program Files (x86)\FileCenter\Main\dten600.dll
Filesize
7.7MB

MD5
22cf875a0cf0ad89f5f7d7ac6628a598

SHA1
c2a9620579a08d6a91557e6cb8f1d2585392d30d

SHA256
11ef1b8791cfd8fee0923ec685ae1d29485349ce7d2d37a15ae1615e8d646baf

SHA512
3b59898730a9eb4a8f4347b8c854983636b28f6641b072fdd0d7f9190b905fc9b03dcf204154072048dc1a6a24785d2aead865b5bf160c9af9df87cf4175c608

Download Submit
C:\Program Files (x86)\FileCenter\Main\lbvProt.dll
Filesize
532KB

MD5
120387e48d0556538ef3ee68de18a707

SHA1
0633de57f7ef851115be39d407db8e08986b3d93

SHA256
e202172ad8799ee0feee2559ac06f2cf75530f702f7e11d0cb4c1b3ec57eae4e

SHA512
a7509c2822bd7f08b5e67dfbd3d9ac701639599b5681966f5276f51e60608dcd7dafaa953f7589d99de7ba7b68eaa56be0ecb2c074f5c4ba6ba114880507b1da

Download Submit
C:\Program Files (x86)\FileCenter\Main\secman.dll
Filesize
146KB

MD5
085d87f49daf13496e0e018c4008fae6

SHA1
4b0c3058b8ace7e8242c941b449daa968f5b45c7

SHA256
d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15

SHA512
52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

Download Submit
C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe
Filesize
13.6MB

MD5
35b40b21383ac38487ceec8ab6e53565

SHA1
59894bd9c96361b475c3b4b7ca9719c72e813d04

SHA256
caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec

SHA512
3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

Download Submit
C:\ProgramData\FileCenter\Config.ini
Filesize
42B

MD5
4a2b0b2d8d08db9fcc6eae2e25c9b4d1

SHA1
bcbd9242fe7ad0afabb143453d732657cfc79ede

SHA256
70bc9116d9db8cee6aaf87d19d323fc4961f90116b9a61281a981a461505974e

SHA512
5dc550410f15e4f64e637f61d8b6b09024b7502202ddd346463ac05b962d9bd6c3aecce6b85e089ca53184e99753cb2b137fae9ea26334d8044a0266742f6826

Download Submit
C:\ProgramData\FileCenter\Config.ini
Filesize
23B

MD5
b2ad8f8dcc45644ea167317d050faac4

SHA1
215091d6ad9d4f210b85e675b17c60a7300ca9b1

SHA256
9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0

SHA512
528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

Download Submit
C:\ProgramData\FileCenter\Intercepts.ini
Filesize
6KB

MD5
293bfe23c32bd1332e4caf09e9bb347d

SHA1
1777f80e58dcc9b37cf87d73a4680723c7b87461

SHA256
3f6dd37419d2c2075812e0a104d0603d78a5cf1b378154e8d71c30c37de84264

SHA512
0ec00fc8b45d2fa205be404a37546772919f891d439e336dd601c0961355dd9afdbae983c254a9760207ea15b7b446b7b9d90ad93f7b938aeb74e838204be194

Download Submit
C:\ProgramData\FileCenter\Logs\Hooks.txt
Filesize
998B

MD5
5534acbc2965520676df4215448e3ece

SHA1
08f48a11efa47b05cb0b7e2eb14c9b662ce3f68d

SHA256
26bfb8cf557001f9253ed6da0fd33213e41136ef131cfcf8cfc395047cff668a

SHA512
39b45c11a4d562e0e6f832037fe990ec6f027d70100bcc02abb148ee01cd6b28a20269a2f813b01414655e4501d4202101ca9b9bc1e334dc5e306d64bc9ad921

Download Submit
C:\ProgramData\FileCenter\Logs\Hooks_Last.txt
Filesize
998B

MD5
8bde523bd564817653df647051518eb7

SHA1
693044acff37c4c4d874dfa3cfc40b2f9980a987

SHA256
36ed3a18cf868f4ed90d6ff723b60ba3e23893464245b1d6a83bd69f65f56580

SHA512
3f98c832616b0db874b1254bf3fd0a24d3db95a70f9833f819cbd9a8114bc8ec97e3f77948af66d2204a6e099214ae29b453a08931c60f765dda0a54625eeb69

Download Submit
C:\ProgramData\FileCenter\MyPortal.ini
Filesize
26B

MD5
8af40c2a9db1af603163ed8b0e25a3d0

SHA1
36db1a9baec9e7d6d17073529afff9df063e68d9

SHA256
64b92b073e9519d07676100c694c63207f45b561ce66594b8728eae023ba0705

SHA512
2662a09e1cd148cbb4ee1124e4fdac6561699f447c986992651ff8fb8e7d005803b74ce5c1bb65c6f916ab1407894fabd453735c10378a94d5c918b1fe66688d

Download Submit
C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txt
Filesize
1KB

MD5
cb1f074d0cfd8d98eac29be681033716

SHA1
80ebf7b708a0e76e57fc625812e74b5c5dcc5243

SHA256
1dc66eb11dde0cba77980987620efdbb9109a9e8619bbc6752a0f1c0893af5a9

SHA512
cd2ddbdf942b5da8306ba6a48e7741c2b6a48bc46ca619bf1f76095d015912a29ccce5f974b27a7011e25a7f74767154396778214dcbe99501f181dd90300f7b

Download Submit
C:\ProgramData\FileCenter\Settings\POLData_Lock.tmp
Filesize
14B

MD5
724deba0ee02aa7ad576295d784b1230

SHA1
f4f36556c9babc24a278f5f2ddcce4bff6a64bc7

SHA256
a98ebebe7123b54822d1250f6264dd8d971e47d5cc718fac967d2dd2374365ac

SHA512
3855cea9f71c3905baa510a42cf397da2b9f4f27cd071246e72911e646d6f5ba93fb120cb1a2f4d3e6a73d3d5ec40afc6dfbfb9e495e9bb9a2296930b1702239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
252B

MD5
4ad669e3c7f7914cc5c30d13fad3df46

SHA1
0bebda762e6be6734c20db6f54d87414f0e052b4

SHA256
796046b5d1352cad383eb323c394bb9ce99f5f5005037049ed3dbe3cc686aaea

SHA512
3e3c6961b457ae53fd0fcdd86fe50c915718cb93ea3112cfc65969ecd63cd64106c34bd2ed5e3eafd407a666679440a145303bca700bc8004c053d39b2ce68ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
528B

MD5
da83438d158b933976277ad761323980

SHA1
d4cf8ec9df0e7ceb5f70a88f2eb2a7abbdcd0cee

SHA256
7064b564fec6d96210af4a3f5a6b70411c423ae56aa027b4ba977fb14ca7ecdf

SHA512
aec7c4aa65f59f72cb0c1471b3c1f13312f1a5961756a4b01f4a07f3c193cd55c963c8a8253613b796af2beebb55611cb51c65580358943305a42c049a46eda3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
7849aa7033299dc1286d2dfc536bf101

SHA1
b88a4b97731056798b3888b9aefd161a0556fdd6

SHA256
8204d4a7010118ad642348a9b0f9e9bbe046a9a4453a3b6b2e13613d466482ab

SHA512
b475ce47e827d49010cb9a5f035d1b5eed5dd980f2b5dbe789168a578dbc4fcee421d9ea5a45646db4d8d9868a84924cf1a52124e6f8c07afccc0d397f856423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
c646c1f4a0f94c752d68511a5343025d

SHA1
0e74f2145e4a78db8ed5556d42068a0ef7d5afba

SHA256
57e1ae2cf1d6b2efd0f92bcaaaf04ca84cc66932a5e621d81f8092028af28df1

SHA512
516e1ecb4f9d58600b41c487144ab09be60aac3acc629d65e01443a4327dbd5dc16a3899b91b77d191da62d0080d1b2a8b8c5b02a9cb1aefe2b9fa9d73b570ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
3e689c7db78bf7784109b603e7af307f

SHA1
c5c64fec6b5e3740f235d106d3241d40f9fbd78d

SHA256
f1b57325bfe21a98ac3ea2b337f21fca59ec842b216f1b75bc4104e682230206

SHA512
61281ede365f78fc754ad5f6fd47fa1fc3971930ade07dc13be2b869c03028c66e8ee00084688646c9e5e52527d61c4a8ad4f775a83e279e929559db4d137373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
69070d027d68e39cc05ff618c61a4eff

SHA1
3ca9a6251df5513b329204d80ddffc1fdbbd080b

SHA256
42516a84d6093b65aa19f416763b6613d59618f51b79e5cb2fb07ba3eae14be1

SHA512
a191fb160f40be50ba1454b16c4cd99ffa0f01730ae4b339491182d96292917e84692564beab42e6c03f138d823524558953a2204514a6fd105c6509d20bd07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
615c46554caa87eddbaf73bf721387f5

SHA1
67407652489ba46d372a95555d18bff1d3eb1012

SHA256
1e7a389c032ba61d5a6149360cf258a0a526df54baaeb95732811a092cef3c41

SHA512
8a3a8fbf8c0f1875627309bd989c7daa2d28be1e9ec7b435f37436613979d1df5dd1d971dea19b3d4d1cc5bd4a59576384cb2b67799e28c3d42b45c7d5e9e7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
dba9f91d586c5335c9aee469d068995b

SHA1
327c9dca89c2c41ce9601fe04f579e73e503d67d

SHA256
774b4ef7fddfffbc4d9b256439464515a75e75000b05126dd85fc27dce72bbe2

SHA512
2103538053da22c84c1f296251d78144b9f990fea04027a4e01875085e29e97d31bae67245579dd854faadad03fc6342a456dd25875bd9d2d5b4bad5af5eb877

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD7BD5.tmp\iso690.xsl
Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76KP4.tmp\FileCenterUtils.exe
Filesize
8.7MB

MD5
e9638374a27160513f1a62827b6cf102

SHA1
b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f

SHA256
c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942

SHA512
9632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-91M4V.tmp\FileCenterSetup12.0.16.0.tmp
Filesize
3.0MB

MD5
0acf3c16e6faca9c0aec525f53d03866

SHA1
5c3960b48d2b72ad02e59470d8a7b690ee826f9e

SHA256
2c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151

SHA512
17d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\prnInstaller.log
Filesize
643B

MD5
9de11197276eb18aa2cce47e3888657d

SHA1
2ecf7738156bf72f06a1e49cf88e155e0c19db31

SHA256
387c99721c1bd6dbcac840deb6bb29da1e4d36c4fe76cea520406fd6218952b1

SHA512
203aa42b8b8a17dd44178d72ff79743a13041e62253757d35a2a07f46c5188ebe751b1f5a90f812f70c5fba40288ff265416b5b87ce199cb5af54f00c65e8f24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
202B

MD5
add56ec49f8f478e84a934606effef1c

SHA1
1262ae87ef755e40752740df90d21352d5fc81ec

SHA256
22e509cf2b7202fc6b04c3d9a1b137477f11471d58a48c1f9514f89450217327

SHA512
c095f193d221696f3b087c3f224a559ad0efe4852a5392c8a3ab03f80183beec2a8327892aa481c85f1bf8165b76a029555f250e0dd5f396c823feacff4c06f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
36b5b712dc444626bb107893c89352bd

SHA1
9b50019777f83a899810a37a8787af11e6f89e1b

SHA256
706944e44a2d7f382822c1f84ccc685fd650a2a1db9e3f9c3bc309bf7b4de8aa

SHA512
e1cf936da3b651cc346347ffd17759cdf5149fe7687be6dcf837ee5043d95d41096df846f411de4edb49466f115853682e3ab1f7bbded65a21e67c7ff622e4eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
041a6220fd5afc5afb7f30dbef9912b7

SHA1
62310d2c4add31d93342b087ad0e9140fc1bbb82

SHA256
83ce0a6ce9b2a0240d69e6a14315601e78bd4ab45f791564a176c1dcc5a8ecff

SHA512
8344b116ccb3a0e4f595d7b3f347145e1030a1d91cdac40d5091263034f91e007ca5c9dfcb202f9de2f4eb67622674b6a2ee7e9ae54ee7469fe7c52aea438a23

Download Submit
C:\Windows\Installer\MSI3261.tmp
Filesize
1.3MB

MD5
5a36339a5bae618a2ef09d0adab0b602

SHA1
437d251abdcfe4f9379c44336ff5b920df7a0fbf

SHA256
2e1d52eec9169247f75b584f874617ea4702cf2fdf92a4306d84c354a0151674

SHA512
cff119e5b719c8578d199b946fc213074d89195d63bf6cf00dc2c255cc66695d0062da2e916a22d4df4c1bb1e195f69df21c463d144ad9442defe7b3033ead2a

Download Submit
C:\Windows\Temp\{8BF8B4F5-10DD-43A0-A1EB-36291E3734E5}\.cr\vc_redist.x86.exe
Filesize
632KB

MD5
86123c033231dd7e427d619ddeefd26a

SHA1
608c085348fd9c4e124e6f28f0388ccdac6ab2b5

SHA256
d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737

SHA512
ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

Download Submit
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\.ba\logo.png
Filesize
5KB

MD5
04967ef5107480ea36b3e2e97af7eb7a

SHA1
6efdd4484dcfcfd45b3c887c852f0abb1a02a645

SHA256
63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21

SHA512
00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

Download Submit
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\.ba\wixstdba.dll
Filesize
203KB

MD5
0ba387d66175c20452de372f8dbb79fe

SHA1
5411d41a7d88291b97fb9573eb6448c72e773b70

SHA256
7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33

SHA512
13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

Download Submit
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\PkgLite64
Filesize
2.6MB

MD5
e91e50fc80f7d84561db5823595e5b63

SHA1
b3e40b17a668586e86f346e9a7e3b8ef4838d437

SHA256
3203656dcafaf1ae128dae78bab26829bf0c2c9e1c255a8ca15ed176651d8948

SHA512
c9bb45c0882af7a2f5b6294fa2c29202ac529a6f1584e763a00c4812782f8274498a9c008ef0901dd67d895fd448e0eeb19a75cfe98bcd4c050c8856f97e5034

Download Submit
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab20036D21E40418DD3280D692958B9275
Filesize
378KB

MD5
bed8b8bddf71f7b921c8efac0eb69518

SHA1
df2818992742ed4e80d28a94e1b0f43f280db455

SHA256
3cbfff994fa8a50b2d89e0dc906eefaf50ea16b07acb8ed4478fb2b116fcb8a5

SHA512
5699485985ea856d8ef3e97372e51c98eb81225c18ab5a851e1d8f574c0c9e77986563ad63e9b2118bd42edac0a39a46727306484be71af485955f9e818502d7

Download Submit
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab20F2A2993791BDD97B003B5578C7EAC7
Filesize
2.3MB

MD5
951b5426340de231c90e0be2780cc66e

SHA1
fd6b966fd3270e53d8b1d660d69d4290b75b8a9d

SHA256
afac74f4b16fbefff34daec002a027abab8d45b6113ce1fde320cbf2b8eec68d

SHA512
038c0a171079502899366abf1101b173468a1a1997dafe94b6d217e26d5f6fec97e0d38fd4f7a70ef3d410dfdd18b7d93b3954776db3fc7ed9e91211492e0fb2

Download Submit
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab293E212B151FCAC5768C99D66AA8D9AE
Filesize
1.8MB

MD5
f7bd3fbb5859bd43e830b621c8ade037

SHA1
71838fa41b8906bdcb9a64eec599dafd25d92c6f

SHA256
789ca746d45588380841494901a531abcf7a9a184f74af2cf049a77f489f4dc7

SHA512
53dbfde654e6bdaaab257fc3968a50ee7b8e4641bdc739c55ce1697e869ac513a7f2dc72ab92074b062928d56ab6f8083c5fa8a71a16a2f6918cc52f73b81250

Download Submit
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab5DD1590118F3640F385DB3EB2F516E5C
Filesize
17.1MB

MD5
b8b961c9899ec926b1dd8258b0232626

SHA1
8ed4a38e4a7c856a427a068ec51539f2e630f86c

SHA256
e9c26ae1625eb454e4cd78dd9ac145eeae94190f943b6fc72d250dc3acb703d7

SHA512
5dbcdbaf86bb25029838b93fa5787d9833b3ac2e6861b3df405b7957f1e5355395bcc664f4a550d9d79a7d3f7d98ca740527d5a86ecd0bfe0df3e768016f1877

Download Submit
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab66549ACD4EE6139A64068CA8626575A9
Filesize
1.5MB

MD5
bf193f70c4ba12e12a592df1cdb17b40

SHA1
e84a6d1cbcdc79926f7defef1ad4b7a8a651b5cb

SHA256
cee91939598abb3ec23ce0dc93c7690421efdca54795997558ef0fc617442a82

SHA512
23077213cb84b84096c93da33f3a23bda28bcda638ec3a9256f4ab064d8bf6f1e2860d32e6713716f35803db92fb30c4f07b0b2accccd914d7bcb75910b63d79

Download Submit
C:\Windows\Temp\{A37F15BF-F533-474D-B0FE-75D801002322}\cab8D36E281ACA51D7FBE9AB973BE9B36E3
Filesize
174KB

MD5
0102ec8e3aa2b964f2d7719dd00de809

SHA1
9a008c6acc5c70c8467621bf4a8e78930e2843a3

SHA256
765cdd18ca4b9c8de8f16035ab46f740a9da9e628f24dbfe16800af41fa3122b

SHA512
ee4f280449bcceb357290c1970914524fcb30931b240591cee3f540fbfe365a81f5d6201eee9e18598163f9be392062ee8cfcdf16d289c4bc2effa6061e69c94

Download Submit
C:\Windows\Temp\{B9A65458-4ABB-48C9-89F8-73D218627531}\.ba\logo.png
Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{B9A65458-4ABB-48C9-89F8-73D218627531}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{ED56CB5E-F2AA-49BD-A457-FDD2885C448B}\.cr\PDFXLite10.exe
Filesize
1.4MB

MD5
63ed90cdd501829a2319f8cf86c52bd2

SHA1
da198bec49015e98baa5b2cb91903f659e31dd37

SHA256
529bcd90e571d51a19396cb457bf7eebecf494613030389fa7c5b25b8e42757f

SHA512
d8cc05a5d481e17432125d21d58c2b32696c8b3e6632f911184292a0f0b24910e9dc5cc3ae2bdc6d87e478aef81504aa34520d3bd6813517e4b9347eee0eaa19

Download Submit
memory/500-694-0x000002942BFC0000-0x000002942E4AA000-memory.dmp

Filesize
36.9MB

Download
memory/500-717-0x000002940FA20000-0x000002940FA28000-memory.dmp

Filesize
32KB

Download
memory/500-718-0x00000294111A0000-0x00000294111C2000-memory.dmp

Filesize
136KB

Download
memory/500-683-0x000002940F3E0000-0x000002940F3F0000-memory.dmp

Filesize
64KB

Download
memory/1120-973-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1120-1034-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1216-1144-0x00000000027F0000-0x0000000003229000-memory.dmp

Filesize
10.2MB

Download
memory/1216-1172-0x0000000000ED0000-0x0000000002316000-memory.dmp

Filesize
20.3MB

Download
memory/1216-1178-0x00000000027F0000-0x0000000003229000-memory.dmp

Filesize
10.2MB

Download
memory/1244-29-0x0000000000FD0000-0x0000000001A66000-memory.dmp

Filesize
10.6MB

Download
memory/2256-572-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2284-567-0x0000000010000000-0x00000000101C8000-memory.dmp

Filesize
1.8MB

Download
memory/2300-25-0x0000000000FD0000-0x0000000001A66000-memory.dmp

Filesize
10.6MB

Download
memory/2812-6-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2812-262-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2812-56-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2812-27-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2812-566-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2812-15-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2812-1036-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2812-1039-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3068-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3068-14-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3068-1040-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3068-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3188-584-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/3188-583-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/3188-676-0x0000000005BD0000-0x0000000005BD8000-memory.dmp

Filesize
32KB

Download
memory/3188-678-0x0000000006770000-0x0000000006792000-memory.dmp

Filesize
136KB

Download
memory/3188-579-0x0000000007A70000-0x0000000009F5A000-memory.dmp

Filesize
36.9MB

Download
memory/3188-575-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/3236-13-0x0000000000FD0000-0x0000000001A66000-memory.dmp

Filesize
10.6MB

Download
memory/3236-12-0x00000000038B0000-0x00000000038B1000-memory.dmp

Filesize
4KB

Download
memory/3412-977-0x0000000000330000-0x0000000000DC6000-memory.dmp

Filesize
10.6MB

Download
memory/3836-640-0x0000000000CA0000-0x000000000145B000-memory.dmp

Filesize
7.7MB

Download
memory/4024-675-0x0000000000330000-0x0000000000DC6000-memory.dmp

Filesize
10.6MB

Download
memory/4236-1033-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4472-31-0x0000000000FD0000-0x0000000001A66000-memory.dmp

Filesize
10.6MB

Download
memory/4540-1143-0x0000000000330000-0x0000000000DC6000-memory.dmp

Filesize
10.6MB

Download
memory/4732-724-0x0000000000330000-0x0000000000DC6000-memory.dmp

Filesize
10.6MB

Download
memory/4732-972-0x0000000000330000-0x0000000000DC6000-memory.dmp

Filesize
10.6MB

Download
memory/4956-1297-0x0000000000910000-0x0000000001F28000-memory.dmp

Filesize
22.1MB

Download
memory/4956-1449-0x0000000000910000-0x0000000001F28000-memory.dmp

Filesize
22.1MB

Download
memory/4956-1041-0x0000000001F30000-0x0000000002969000-memory.dmp

Filesize
10.2MB

Download
memory/4956-1138-0x0000000001F30000-0x0000000002969000-memory.dmp

Filesize
10.2MB

Download
memory/4956-1137-0x0000000000910000-0x0000000001F28000-memory.dmp

Filesize
22.1MB

Download
memory/4956-1189-0x0000000000910000-0x0000000001F28000-memory.dmp

Filesize
22.1MB

Download
memory/4956-1471-0x00000000711C0000-0x00000000711C1000-memory.dmp

Filesize
4KB

Download
memory/5876-1437-0x0000000002AC0000-0x00000000034F9000-memory.dmp

Filesize
10.2MB

Download
memory/6052-1456-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/6052-1470-0x00007FFF744E0000-0x00007FFF744F0000-memory.dmp

Filesize
64KB

Download
memory/6052-1460-0x00007FFF744E0000-0x00007FFF744F0000-memory.dmp

Filesize
64KB

Download
memory/6052-1459-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/6052-1458-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/6052-1455-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download
memory/6052-1457-0x00007FFF76650000-0x00007FFF76660000-memory.dmp

Filesize
64KB

Download