Overview

overview

10

Static

static

1

FileCenter....0.exe

windows10-1703-x64

4

FileCenter....0.exe

windows10-2004-x64

10

FileCenter....0.exe

windows11-21h2-x64

10

Resubmissions

25-06-2024 14:19

240625-rm6bxsvdkb 6

21-06-2024 15:11

240621-sknjrsygjm 6

17-06-2024 17:09

240617-vn6wmawhlb 10

14-06-2024 13:23

240614-qmxjcawdmm 10

Analysis

  • max time kernel
    99s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-06-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FileCenterSetup12.0.16.0.exe

  • Size

    300.4MB

  • MD5

    123556b83a3dad2f59e76602768e9536

  • SHA1

    b402ded286fff73aaf9b32f075bc32029da6d461

  • SHA256

    df2b7f274c484ae5baecb3365b1d9fcc4821facf327ce87724b1be597d0c70a9

  • SHA512

    bc8dc366b404756a55ab40b66bbcccc8d8b366b0f34938c14324d994118602f0be876eaa61234c18eef7ae4e797789da8dd996f023f0f67c0e053e8022dd3506

  • SSDEEP

    6291456:f7u0oceu41pUlsFqvFyeGCIOo7qgB5Fapf5NN9nAug:T9r4vXi5IOyJmfAx

Score
10/10
vidardiscoverypersistencestealer

Malware Config

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 20 IoCs
  • Executes dropped EXE 24 IoCs
  • Loads dropped DLL 26 IoCs
  • Registers COM server for autorun 1 TTPs 64 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 14 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe
    "C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp" /SL5="$701CA,314098152,831488,C:\Users\Admin\AppData\Local\Temp\FileCenterSetup12.0.16.0.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
        "C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtilsInfo.ini"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1212
      • C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
        "C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe" -S -INFO "-1" "3" "11" "C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtilsInfo.ini"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3336
      • C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
        "C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe" -CLOSEALL
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1432
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterScanner.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4772
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterPortal.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2084
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterThumbs.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3468
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterReceipts.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1084
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterReports.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2380
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileAgent.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3764
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterAgent.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1592
      • C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
        "C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe" -INSTBEG
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3356
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterScanner.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4952
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterPortal.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3328
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterThumbs.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4272
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterReceipts.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2856
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterReports.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2184
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileAgent.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4488
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /F /T /IM FileCenterAgent.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2196
      • C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
        "C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -INSTEND
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4080
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\PDFXEditCore.x86.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:3948
        • C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe
          "C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe" /silent
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          PID:1172
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb
            5⤵
            • Loads dropped DLL
            • Modifies registry class
            PID:236
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /s "C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll" /codebase /tlb:GdPicture.NET.14.64.tlb
            5⤵
            • Registers COM server for autorun
            • Modifies registry class
            PID:3308
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\dten600.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:2052
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\lbvProt.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:3468
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\VSTwain.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:4332
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\secman.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:868
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe" /s "C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll"
          4⤵
          • Drops file in Program Files directory
          • Loads dropped DLL
          • Registers COM server for autorun
          • Suspicious behavior: EnumeratesProcesses
          PID:4312
        • C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe
          "C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" /install /quiet /norestart
          4⤵
          • Executes dropped EXE
          PID:3928
          • C:\Windows\Temp\{331B6960-7970-4C89-813D-E58F0E6F92C8}\.cr\vc_redist.x86.exe
            "C:\Windows\Temp\{331B6960-7970-4C89-813D-E58F0E6F92C8}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:4780
        • C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe
          "C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe" /install /silent
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2520
      • C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
        "C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -PRINTER
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2404
        • C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe
          "C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"
          4⤵
          • Executes dropped EXE
          PID:2480
          • C:\Windows\Temp\{45A36FCD-0295-4FAE-B24C-6F3BF9C760D1}\.cr\PDFXLite10.exe
            "C:\Windows\Temp\{45A36FCD-0295-4FAE-B24C-6F3BF9C760D1}\.cr\PDFXLite10.exe" -burn.clean.room="C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe" -burn.filehandle.attached=540 -burn.filehandle.self=552 /quiet /norestart /log "C:\ProgramData\FileCenter\PDFPrinterLog.txt" PNAME="FileCenter PDF Printer" ORGANIZATION="FileCenter"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            PID:3344
            • C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe
              "C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.be\PDFXLite10.exe" -q -burn.elevated BurnPipe.{019FC21B-785F-4260-B83B-5E6AEE9AEFB6} {968BB185-F9EF-45E6-A671-B27254E79B08} 3344
              6⤵
              • Adds Run key to start application
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3440
        • C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
          "C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "FileCenter PDF Printer"
          4⤵
          • Executes dropped EXE
          PID:2456
        • C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe
          "C:\Program Files\Tracker Software\PDF-XChange Lite\pdfSaverL.exe" /SetOptions "Save.RunApp=false" /Printer "PDF-XChange Lite"
          4⤵
          • Executes dropped EXE
          PID:2636
      • C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe
        "C:\Program Files (x86)\FileCenter\Main\FileCenterUtils.exe" -DRIVER
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:684
        • C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe
          "C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"
          4⤵
          • Executes dropped EXE
          PID:3508
          • C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-4HDBB.tmp\PDFX5SA_sm.tmp" /SL5="$40304,5384545,119296,C:\Program Files (x86)\FileCenter\Drivers\PDFX5SA_sm.exe" /VERYSILENT /NORESTART /NOICONS /COMPONENTS="pdfSaver,PDFXChangedriver" /DIR="C:\Program Files (x86)\FileCenter\Drivers\" /PName="XChange Internal Driver" "/Organization:FileCenter" /LOG="C:\ProgramData\FileCenter\PDFDriverLog.txt"
            5⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            PID:3308
            • C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe
              "C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\prninstaller.exe" /W0 /I /N:"XChange Internal Driver" /Base:"PDF-XChange "
              6⤵
              • Drops file in System32 directory
              • Executes dropped EXE
              PID:4568
            • C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe
              "C:\Program Files (x86)\FileCenter\Drivers\PDF-XChange 5\pdfSaver5.exe" /RegServer
              6⤵
              • Executes dropped EXE
              • Registers COM server for autorun
              PID:4884
            • C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe
              "C:\Program Files (x86)\FileCenter\Drivers\Vault\XCVault.exe" /install
              6⤵
              • Executes dropped EXE
              PID:2860
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1904
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4596
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Registers COM server for autorun
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4996
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 66342A5A573178976D159FCD1D69914C
      2⤵
      • Drops desktop.ini file(s)
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:1760
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding CE2A3E5C0DAAD649A6D94B8CDE415D60 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      PID:4784
    • C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\PrnInstaller.exe
      "C:\Program Files\Tracker Software\PDF-XChange Lite\Drivers\\PrnInstaller.exe" /L /I_D_R_M_P /F /N "FileCenter PDF Printer"
      2⤵
      • Drops file in System32 directory
      • Executes dropped EXE
      PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

5
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e58c031.rbs
    Filesize

    35KB

    MD5

    c8cb28d3ed89380cdf048f4ee33e5cad

    SHA1

    60f3ac0a19bb990ba961c416c4eed495f595fd81

    SHA256

    6b01c4d0804db99865bcb1e799022dee0218df2c5a59f12b0be1a1788cd00f46

    SHA512

    aa5d51182bf8691a34097d11123b230fd446b05c24ec466f8d1f4b4be6b3be6698d67d0fcbc32fbbff01f50024d53c3ea0b7274052d923e158bdbffeca208a97

    Download Submit
  • C:\Program Files (x86)\FileCenter\Drivers\InnoCA.dll
    Filesize

    593KB

    MD5

    2fbf69d014ae135d473ec8243d44be9e

    SHA1

    2c28d3b23d8ff061ae554ccd92aec93900e3cb2b

    SHA256

    6f0d663f59487a01eebb128a9c4984789b91eaa764194ed9f0ed63583577d2d3

    SHA512

    530ab82b0ba1e148889bf41d6b00c67aee8ea4ff014b7e9d76bef682f8ce34a6908213b4d6f979ba02c6abe907cd1ac28bd323b4b766ede52b49ddd054d8b654

    Download Submit
  • C:\Program Files (x86)\FileCenter\Drivers\PDFXLite10.exe
    Filesize

    40.5MB

    MD5

    4c61ee01d5b84db67c38c10d3f210f39

    SHA1

    844eab66505dc4eb88dec70c3f20307365c350ac

    SHA256

    a7e10bda5cb2e1c347b2ee682385fd56ff5da05c659c665abc0b526f639a5583

    SHA512

    a44a2bd871c9f0f654b0e627accc9d4388390e5e5b7326a3372a103886d74b89ab78e235e1b986da9acf0f08fdf45b642ec26000bbe32de92a44b1978f4c2f80

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\FileCenter.exe
    Filesize

    20.1MB

    MD5

    879d5b401a73cc57a3166ba01ce70c60

    SHA1

    ee8b47af48514a3b65f4ee838c95e7a3a64d3434

    SHA256

    82da544c9d730c17c34a253c29fd7d621e8cdc064e0220c27e43bb0dd60c4ebe

    SHA512

    6e49343acca8ab878b4cf9e12ce4d796decd7f44c7068f8d90f5ad2eebbab31c15c82bbf66bcb571120a9bf8e375055558308d00b66053591c6ec94fb514b3b6

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.dll
    Filesize

    13.0MB

    MD5

    2b9bbd88d6b6a3b7c417cbb0eae69bf4

    SHA1

    c43ab9fa5c1085ba21280d143f8b8322d6a93883

    SHA256

    1e5f8dbd4c08faf3a0a84b6af17454d9d21459618b411696b9604af80ee9fc0f

    SHA512

    f07ae3e76066960a3b657146b83da724ca13873edd82d7314d048593c3e6021ced3297459d46a30daf95189631bfd4c941e44d91433549dcc70efb5407543a30

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\FileCenterAddin.ini
    Filesize

    27B

    MD5

    70da425f8aac14b1484047edb83e60e8

    SHA1

    69d09199af5a5ba4ed4e1d59432fec784d5271e4

    SHA256

    258d4ad31457b1c117b248b6ba0dd1c44ba6ad0a0839623ced45ce15ebbd0a7f

    SHA512

    a9cf352b79a8f38f03a781bf55a94e2c1344e1de55e9ea21e736ad436d7452f8349a64fec3b46e7ddc1d11f5fa3ecc80329b5b4e1da702680e9c2223e57943d2

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\FileCenterAutomateService.exe
    Filesize

    7.7MB

    MD5

    42d9ffbb0b7ef3cbdeb0c005619b12fb

    SHA1

    fbaed95c25aa26c43121e8421b5154e9e5dcdca0

    SHA256

    59e5b75c18c82acf2d94a1fd9b0a67af6795d594e1f837df1a80eec66671d307

    SHA512

    c77b91ca41b13bb471ced5346f998805430a33e210c09c0d7e0b0a7573d9e95da1bc5e351df08c871e1c3e962b3ec4b9fdb5ef5cc806fd87ef42f50ddd99d7cb

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.dll
    Filesize

    36.9MB

    MD5

    d9806fd0eeafd9f89e0473ad52889283

    SHA1

    d6fca558897aaa6703129557e2d02b1a84765dcb

    SHA256

    aa2aafe588aecd1a10bf05dcd675143061a55bcd5bc83bd749bde7b85d21dbc6

    SHA512

    796c609dc6fa4c6fe1e6909ae3a4a22cc06c900f34b999d77a9805767f69f1b1d96a99e9ee03ad6ab68e7f6bb5fa3269c1d73db4af68a2834bfd5cbf2fe91422

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\GdPicture.NET.14.tlb
    Filesize

    475KB

    MD5

    2181937aa6a592be4b93413a2bcc274e

    SHA1

    c7f3c0c3ab00361c832d9f534221b7557ffb1f8c

    SHA256

    e5c02ad38b4db63d4615961ce52261c568ba94b6190969a84e3d9dc0fad75c85

    SHA512

    e36676d71906fa95a4ab389b43b35de381a1ece23092171c5de23e1b0e98f650b84c166a319c2417a303141e4fda9509b4db7277d34585fb9a4ac6f0e44dca8f

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\GdPictureComReg.exe
    Filesize

    21KB

    MD5

    b9718823c993fccb6352cc0210993569

    SHA1

    4d551f7cafd0040ff9657ca644c1365f3e7847ae

    SHA256

    a173ba320929c93b9bf41186a0692d753da812b8691dcc416c16abdf004dbf89

    SHA512

    6e513ef7535539cff90e88b95c5f57bb9e262cebbf1e51bc8268595347fbf06f628cf16eaa974d7eccd2a285ff2f8f56867c4292c1fe4fb7b0ee90f5acee9747

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\VSTwain.dll
    Filesize

    573KB

    MD5

    13f5f7e228ce2b8a3a41dbad4e451279

    SHA1

    1b3837572602b2620b75bf2ad2aeab89a64f5287

    SHA256

    11b50ff0bc4e72cd2dd47fb8070a86781682b92a9fb1010a5fae97276afb2292

    SHA512

    24ea8072abb5c0d4083989539f399ad076cc92260aaf0317320dddb4196e752e1c082d386c75049a343b1c62765d587f2b66374b53e7b24326ee6129a7aa856d

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\dten600.dll
    Filesize

    7.7MB

    MD5

    22cf875a0cf0ad89f5f7d7ac6628a598

    SHA1

    c2a9620579a08d6a91557e6cb8f1d2585392d30d

    SHA256

    11ef1b8791cfd8fee0923ec685ae1d29485349ce7d2d37a15ae1615e8d646baf

    SHA512

    3b59898730a9eb4a8f4347b8c854983636b28f6641b072fdd0d7f9190b905fc9b03dcf204154072048dc1a6a24785d2aead865b5bf160c9af9df87cf4175c608

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\lbvProt.dll
    Filesize

    532KB

    MD5

    120387e48d0556538ef3ee68de18a707

    SHA1

    0633de57f7ef851115be39d407db8e08986b3d93

    SHA256

    e202172ad8799ee0feee2559ac06f2cf75530f702f7e11d0cb4c1b3ec57eae4e

    SHA512

    a7509c2822bd7f08b5e67dfbd3d9ac701639599b5681966f5276f51e60608dcd7dafaa953f7589d99de7ba7b68eaa56be0ecb2c074f5c4ba6ba114880507b1da

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\secman.dll
    Filesize

    146KB

    MD5

    085d87f49daf13496e0e018c4008fae6

    SHA1

    4b0c3058b8ace7e8242c941b449daa968f5b45c7

    SHA256

    d1f1e3717a68166942d1f7a71b78e35e3381edbb07d7d37ae8b603dcc3ffad15

    SHA512

    52886de13e538e0eef364a16da1ccd24a571450d417ead4ddb689efe8e8099f9964c5f6076a239e833bd41c88f2f95f30c20d722f880837aa541be366407145b

    Download Submit
  • C:\Program Files (x86)\FileCenter\Main\vc_redist.x86.exe
    Filesize

    13.6MB

    MD5

    35b40b21383ac38487ceec8ab6e53565

    SHA1

    59894bd9c96361b475c3b4b7ca9719c72e813d04

    SHA256

    caa38fd474164a38ab47ac1755c8ccca5ccfacfa9a874f62609e6439924e87ec

    SHA512

    3a00b40ba8cd1cf8a523efab656f5b8910a3b07f9d8fba4ffc07745165b6375affd77b00fd3064fa72fb984c1773438a39e67a55363be23dd8fe1727c1016b8e

    Download Submit
  • C:\ProgramData\FileCenter\Config.ini
    Filesize

    23B

    MD5

    b2ad8f8dcc45644ea167317d050faac4

    SHA1

    215091d6ad9d4f210b85e675b17c60a7300ca9b1

    SHA256

    9aaebe4ab06e9de08e28b9b4da9248442c502ef5411d7d734c13af1afa2c2dd0

    SHA512

    528737e85d799e0312c335bbbb856f12ee885465e9b999d6cfb1b64d8c003744a5a6d6cd7ae2b6e41b9cbe23115990acd65debfcdd15e1677c955944403da6f4

    Download Submit
  • C:\ProgramData\FileCenter\PDFPrinterLog_000_PkgLite64.txt
    Filesize

    1KB

    MD5

    68a333e2babb9b759461e533dcebe58a

    SHA1

    e5b40bc94e43efa537ef85f186ec82c074ce19a3

    SHA256

    fa2b8a085eface99ae0c851a1472b4aa485f3c25f720289a45c049a17d3e5ff9

    SHA512

    39fa33c345e19a31a630807be2f21adff06ee4da0451997b002213ad9d4e74bc6478d391e53df5562c270510604f4055d63aa15a3673c677bd76405fb84bf711

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-ME4LC.tmp\FileCenterUtils.exe
    Filesize

    8.7MB

    MD5

    e9638374a27160513f1a62827b6cf102

    SHA1

    b9da58896020d46c4ef16f8f1b332d5f6c1e6f0f

    SHA256

    c064ba394872e6a8277a5c71b50da34b800d682e403c6b80ec3ba37badf38942

    SHA512

    9632c8416f542dc96f22a0ddcd109e85c29368b1263d86f74bab39aae8e9271a7b3e2eea18932cf4e3fb5e269d3892016b878d29fb6dad002db11367849f293c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-PHKRD.tmp\FileCenterSetup12.0.16.0.tmp
    Filesize

    3.0MB

    MD5

    0acf3c16e6faca9c0aec525f53d03866

    SHA1

    5c3960b48d2b72ad02e59470d8a7b690ee826f9e

    SHA256

    2c470730bf3efa3f4a9dc184548abefbab8c4aecc43e14834c5810159019c151

    SHA512

    17d98a3b52eb89e02a371f1d6effa59f624696cd14b0589fe436640ddbe04fc6c5d82834f73699dbaa32a7a69343f82863820e72e225e17d710c4de5102b46c2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\prnInstaller.log
    Filesize

    431B

    MD5

    aa8de721ff57a808e13ef78cdcb2fa8c

    SHA1

    a011ba3bdc7cad20cb557bb9dea70390cf6bf3ed

    SHA256

    9de0d6ffab3c0f96fe8353f6510679d89e936981948446b2001132737e157084

    SHA512

    28888018313fc2bc787e729f6ec7219b1d156fb56390e3ff7a5be62e0ec93cf788d361d438c43bcb38f20c51c8d81996ccb9ea6a5d764180f3784e9ab9f0dc13

    Download Submit
  • C:\Windows\Installer\MSIF0D3.tmp
    Filesize

    1.3MB

    MD5

    5a36339a5bae618a2ef09d0adab0b602

    SHA1

    437d251abdcfe4f9379c44336ff5b920df7a0fbf

    SHA256

    2e1d52eec9169247f75b584f874617ea4702cf2fdf92a4306d84c354a0151674

    SHA512

    cff119e5b719c8578d199b946fc213074d89195d63bf6cf00dc2c255cc66695d0062da2e916a22d4df4c1bb1e195f69df21c463d144ad9442defe7b3033ead2a

    Download Submit
  • C:\Windows\Temp\{331B6960-7970-4C89-813D-E58F0E6F92C8}\.cr\vc_redist.x86.exe
    Filesize

    632KB

    MD5

    86123c033231dd7e427d619ddeefd26a

    SHA1

    608c085348fd9c4e124e6f28f0388ccdac6ab2b5

    SHA256

    d863fb2f65bb6eea492e79ab9d09a53cc226e85f57d6545cb82f60b122a4b737

    SHA512

    ffb574123b350d3c9434abc88baa050ae6e54b5b9ebf3f1dcf4bf079284135696004508653e74a3a3c2fa8e4c1b681c3f31d5fe69e0f0c5f45ed37f9ddc61e78

    Download Submit
  • C:\Windows\Temp\{45A36FCD-0295-4FAE-B24C-6F3BF9C760D1}\.cr\PDFXLite10.exe
    Filesize

    1.4MB

    MD5

    63ed90cdd501829a2319f8cf86c52bd2

    SHA1

    da198bec49015e98baa5b2cb91903f659e31dd37

    SHA256

    529bcd90e571d51a19396cb457bf7eebecf494613030389fa7c5b25b8e42757f

    SHA512

    d8cc05a5d481e17432125d21d58c2b32696c8b3e6632f911184292a0f0b24910e9dc5cc3ae2bdc6d87e478aef81504aa34520d3bd6813517e4b9347eee0eaa19

    Download Submit
  • C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.ba\logo.png
    Filesize

    5KB

    MD5

    04967ef5107480ea36b3e2e97af7eb7a

    SHA1

    6efdd4484dcfcfd45b3c887c852f0abb1a02a645

    SHA256

    63f2616963b68ac13dab898c1b5938ab1b353a9ba0f73c6a2f2c3c5c9eac0b21

    SHA512

    00ae4cff10b1a6e504d590d49bc4af707ad33c1739ed46f648dc348645bd5d4b61bf0c84448c78d7542fb6d7294f3aa753b4106579f15b1d726bf1118594c581

    Download Submit
  • C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\.ba\wixstdba.dll
    Filesize

    203KB

    MD5

    0ba387d66175c20452de372f8dbb79fe

    SHA1

    5411d41a7d88291b97fb9573eb6448c72e773b70

    SHA256

    7b3d4a22a56cd80f19c48a321f978f728d34b8227cdc7fcadeb76b7506b2bb33

    SHA512

    13ec6e6ddc602e8053aadd4dd84ed87c23b581f2a41d738e32a522128ca4985dcfcaedc7fab192085f0eb4facd1cd7ad91ccaf8505491e29288d2f66cbf705fd

    Download Submit
  • C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\PkgLite64
    Filesize

    2.6MB

    MD5

    e91e50fc80f7d84561db5823595e5b63

    SHA1

    b3e40b17a668586e86f346e9a7e3b8ef4838d437

    SHA256

    3203656dcafaf1ae128dae78bab26829bf0c2c9e1c255a8ca15ed176651d8948

    SHA512

    c9bb45c0882af7a2f5b6294fa2c29202ac529a6f1584e763a00c4812782f8274498a9c008ef0901dd67d895fd448e0eeb19a75cfe98bcd4c050c8856f97e5034

    Download Submit
  • C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab20036D21E40418DD3280D692958B9275
    Filesize

    378KB

    MD5

    bed8b8bddf71f7b921c8efac0eb69518

    SHA1

    df2818992742ed4e80d28a94e1b0f43f280db455

    SHA256

    3cbfff994fa8a50b2d89e0dc906eefaf50ea16b07acb8ed4478fb2b116fcb8a5

    SHA512

    5699485985ea856d8ef3e97372e51c98eb81225c18ab5a851e1d8f574c0c9e77986563ad63e9b2118bd42edac0a39a46727306484be71af485955f9e818502d7

    Download Submit
  • C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab20F2A2993791BDD97B003B5578C7EAC7
    Filesize

    2.3MB

    MD5

    951b5426340de231c90e0be2780cc66e

    SHA1

    fd6b966fd3270e53d8b1d660d69d4290b75b8a9d

    SHA256

    afac74f4b16fbefff34daec002a027abab8d45b6113ce1fde320cbf2b8eec68d

    SHA512

    038c0a171079502899366abf1101b173468a1a1997dafe94b6d217e26d5f6fec97e0d38fd4f7a70ef3d410dfdd18b7d93b3954776db3fc7ed9e91211492e0fb2

    Download Submit
  • C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab293E212B151FCAC5768C99D66AA8D9AE
    Filesize

    1.8MB

    MD5

    f7bd3fbb5859bd43e830b621c8ade037

    SHA1

    71838fa41b8906bdcb9a64eec599dafd25d92c6f

    SHA256

    789ca746d45588380841494901a531abcf7a9a184f74af2cf049a77f489f4dc7

    SHA512

    53dbfde654e6bdaaab257fc3968a50ee7b8e4641bdc739c55ce1697e869ac513a7f2dc72ab92074b062928d56ab6f8083c5fa8a71a16a2f6918cc52f73b81250

    Download Submit
  • C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab5DD1590118F3640F385DB3EB2F516E5C
    Filesize

    17.1MB

    MD5

    b8b961c9899ec926b1dd8258b0232626

    SHA1

    8ed4a38e4a7c856a427a068ec51539f2e630f86c

    SHA256

    e9c26ae1625eb454e4cd78dd9ac145eeae94190f943b6fc72d250dc3acb703d7

    SHA512

    5dbcdbaf86bb25029838b93fa5787d9833b3ac2e6861b3df405b7957f1e5355395bcc664f4a550d9d79a7d3f7d98ca740527d5a86ecd0bfe0df3e768016f1877

    Download Submit
  • C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab66549ACD4EE6139A64068CA8626575A9
    Filesize

    1.5MB

    MD5

    bf193f70c4ba12e12a592df1cdb17b40

    SHA1

    e84a6d1cbcdc79926f7defef1ad4b7a8a651b5cb

    SHA256

    cee91939598abb3ec23ce0dc93c7690421efdca54795997558ef0fc617442a82

    SHA512

    23077213cb84b84096c93da33f3a23bda28bcda638ec3a9256f4ab064d8bf6f1e2860d32e6713716f35803db92fb30c4f07b0b2accccd914d7bcb75910b63d79

    Download Submit
  • C:\Windows\Temp\{4FCEFE9F-02B1-4D0B-A1A3-EF1291D60986}\cab8D36E281ACA51D7FBE9AB973BE9B36E3
    Filesize

    174KB

    MD5

    0102ec8e3aa2b964f2d7719dd00de809

    SHA1

    9a008c6acc5c70c8467621bf4a8e78930e2843a3

    SHA256

    765cdd18ca4b9c8de8f16035ab46f740a9da9e628f24dbfe16800af41fa3122b

    SHA512

    ee4f280449bcceb357290c1970914524fcb30931b240591cee3f540fbfe365a81f5d6201eee9e18598163f9be392062ee8cfcdf16d289c4bc2effa6061e69c94

    Download Submit
  • C:\Windows\Temp\{8E651816-596C-4DA0-8F8A-1FB26470B1D7}\.ba\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit
  • C:\Windows\Temp\{8E651816-596C-4DA0-8F8A-1FB26470B1D7}\.ba\wixstdba.dll
    Filesize

    191KB

    MD5

    eab9caf4277829abdf6223ec1efa0edd

    SHA1

    74862ecf349a9bedd32699f2a7a4e00b4727543d

    SHA256

    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

    SHA512

    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

    Download Submit
  • memory/236-567-0x0000000000EC0000-0x0000000000ED2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/236-655-0x0000000006160000-0x0000000006704000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/236-666-0x0000000005CB0000-0x0000000005D42000-memory.dmp
    Filesize

    584KB

    Download
  • memory/236-669-0x0000000006010000-0x0000000006018000-memory.dmp
    Filesize

    32KB

    Download
  • memory/236-670-0x0000000006BB0000-0x0000000006BD2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/236-572-0x0000000007EB0000-0x000000000A39A000-memory.dmp
    Filesize

    36.9MB

    Download
  • memory/684-965-0x0000000000C60000-0x00000000016F6000-memory.dmp
    Filesize

    10.6MB

    Download
  • memory/1172-562-0x0000000000EE0000-0x0000000000EE8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1212-13-0x00000000009A0000-0x0000000001436000-memory.dmp
    Filesize

    10.6MB

    Download
  • memory/1212-12-0x0000000005020000-0x0000000005021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1432-23-0x00000000009A0000-0x0000000001436000-memory.dmp
    Filesize

    10.6MB

    Download
  • memory/2060-6-0x0000000000400000-0x000000000071A000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2060-50-0x0000000000400000-0x000000000071A000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2060-21-0x0000000000400000-0x000000000071A000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2060-674-0x0000000000400000-0x000000000071A000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2060-356-0x0000000000400000-0x000000000071A000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2060-17-0x0000000000400000-0x000000000071A000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2060-15-0x0000000000400000-0x000000000071A000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2060-1024-0x0000000000400000-0x000000000071A000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2404-958-0x0000000000C60000-0x00000000016F6000-memory.dmp
    Filesize

    10.6MB

    Download
  • memory/2404-959-0x0000000000C60000-0x00000000016F6000-memory.dmp
    Filesize

    10.6MB

    Download
  • memory/2404-718-0x0000000000C60000-0x00000000016F6000-memory.dmp
    Filesize

    10.6MB

    Download
  • memory/2520-630-0x0000000000140000-0x00000000008FB000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2976-14-0x0000000000400000-0x00000000004D8000-memory.dmp
    Filesize

    864KB

    Download
  • memory/2976-0-0x0000000000400000-0x00000000004D8000-memory.dmp
    Filesize

    864KB

    Download
  • memory/2976-1025-0x0000000000400000-0x00000000004D8000-memory.dmp
    Filesize

    864KB

    Download
  • memory/2976-2-0x0000000000401000-0x00000000004B7000-memory.dmp
    Filesize

    728KB

    Download
  • memory/3308-711-0x000001D5B9010000-0x000001D5B9018000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3308-679-0x000001D5D3F30000-0x000001D5D641A000-memory.dmp
    Filesize

    36.9MB

    Download
  • memory/3308-676-0x000001D5B73B0000-0x000001D5B73C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3308-712-0x000001D5B9050000-0x000001D5B9072000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3308-1021-0x0000000000400000-0x000000000052C000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3336-19-0x00000000009A0000-0x0000000001436000-memory.dmp
    Filesize

    10.6MB

    Download
  • memory/3356-25-0x00000000009A0000-0x0000000001436000-memory.dmp
    Filesize

    10.6MB

    Download
  • memory/3508-961-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/3508-1022-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4080-667-0x0000000000C60000-0x00000000016F6000-memory.dmp
    Filesize

    10.6MB

    Download
  • memory/4332-559-0x0000000010000000-0x00000000101C8000-memory.dmp
    Filesize

    1.8MB

    Download