c135ed6d5a787840884e0d2e63a9dc8512d854af0d3442dbe1eaf0eb015044d6

Analysis

max time kernel
109s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
05/02/2023, 02:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Format Factory 4.3.0.0.exe
Size

51.7MB
MD5

3fccb72d5c0a55a8ffacb8477621a354
SHA1

898a54544b9aa00f21a41e1faa1985ebf1416859
SHA256

c135ed6d5a787840884e0d2e63a9dc8512d854af0d3442dbe1eaf0eb015044d6
SHA512

38598d58f2c8818535c1d480b71d4e7e067f0b59b0acf0cc651c67c799dd6573115f0cd8dd53a2484845e6b07fce9e721371877b43a3a4ff409ec97b17066cdd
SSDEEP

1572864:z8c4ix/84ZH7XIQiBv7UucL32JTBeAt/DVuXgm0QRb:CckYH74QaUxGFBjD/i

Score

8^/10

discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
5080	netsh.exe
2332	netsh.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Format Factory 4.3.0.0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	FormatFactory.exe

Executes dropped EXE 5 IoCs

pid	Process
3084	FFInst.exe
1556	FormatFactory.exe
4972	mencoder.exe
4880	mplayer.exe
620	ffmpeg.exe

Loads dropped DLL 17 IoCs

pid	Process
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
3084	FFInst.exe
3084	FFInst.exe
3084	FFInst.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4228-136-0x0000000008F00000-0x00000000090A6000-memory.dmp	upx
behavioral1/memory/4228-139-0x0000000008F00000-0x00000000090A6000-memory.dmp	upx
behavioral1/memory/4228-140-0x0000000008F00000-0x00000000090A6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Format Factory 4.3.0.0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FormatFactory\Language\Czech.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Hungarian.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Serbian-Latin.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mencoder.exe	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FormatFactory.exe	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\ShellEx_103.dll	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Bosnian.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Chinese-Simplified.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\65-fonts-persian.conf	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\README	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Serbian-Cyrillic.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Swedish.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mplayer.exe	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\70-no-bitmaps.conf	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\mfc120u.dll	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FTMod.dll	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Chinese-Kyrgyz.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Chinese-Uyghurche.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Sample\Video\FFTitle.mp4	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Dutch.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Package\PTInstOnline.exe	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Urdu.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\MP4Box\msvcr100.dll	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\60-latin.conf	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\69-unifont.conf	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Galician.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\German.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Hindi-India.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\30-metric-aliases.conf	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\timidity.cfg	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\Doc\PDF\data\build_js.sh	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\Doc\PDF\data\pdf2htmlEX.js.in	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\Doc\PDF\data\pdf2htmlEX.min.js	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Res\FF50.png	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Arabic.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Greek.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Kurdish.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\uninst.exe	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mplayer\config	mplayer.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\Doc\PDF\data\compatibility.min.js	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\Doc\PDF\data\fancy.css	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\10-scale-bitmap-fonts.conf	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Sample\AutoBGSample.webp	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Res\FF150.png	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Croatian.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Farsi.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Korean.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFImage.dll	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Indonesian.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Philippines.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\49-sansserif.conf	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\65-nonlatin.conf	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mplayer\codecs.conf.in	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Res\SplashScreen.bmp	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Romanian.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\Doc\PDF\data\pdf2htmlEX-64x64.png	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\30-urw-aliases.conf	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Language.lst	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\ffmpeg.exe	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\Doc\EBookCodec.exe	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mplayer\config	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\Language\Georgian.txt	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\Doc\PDF\data\LICENSE	Format Factory 4.3.0.0.exe
File created	C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\40-nonlatin.conf	Format Factory 4.3.0.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Format Factory 4.3.0.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Format Factory 4.3.0.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Format Factory 4.3.0.0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Format Factory 4.3.0.0.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Format Factory 4.3.0.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Format Factory 4.3.0.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Format Factory 4.3.0.0.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	FormatFactory.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	FormatFactory.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	FormatFactory.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	FormatFactory.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
2476	msedge.exe
2476	msedge.exe
2428	msedge.exe
2428	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4228	Format Factory 4.3.0.0.exe
Token: SeCreatePagefilePrivilege	4228	Format Factory 4.3.0.0.exe
Token: SeManageVolumePrivilege	1556	FormatFactory.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
2428	msedge.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
4228	Format Factory 4.3.0.0.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe
1556	FormatFactory.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 3084	4228	Format Factory 4.3.0.0.exe	90
PID 4228 wrote to memory of 3084	4228	Format Factory 4.3.0.0.exe	90
PID 4228 wrote to memory of 3084	4228	Format Factory 4.3.0.0.exe	90
PID 3084 wrote to memory of 5080	3084	FFInst.exe	91
PID 3084 wrote to memory of 5080	3084	FFInst.exe	91
PID 3084 wrote to memory of 5080	3084	FFInst.exe	91
PID 3084 wrote to memory of 2332	3084	FFInst.exe	93
PID 3084 wrote to memory of 2332	3084	FFInst.exe	93
PID 3084 wrote to memory of 2332	3084	FFInst.exe	93
PID 4228 wrote to memory of 1556	4228	Format Factory 4.3.0.0.exe	97
PID 4228 wrote to memory of 1556	4228	Format Factory 4.3.0.0.exe	97
PID 4228 wrote to memory of 1556	4228	Format Factory 4.3.0.0.exe	97
PID 1556 wrote to memory of 4972	1556	FormatFactory.exe	109
PID 1556 wrote to memory of 4972	1556	FormatFactory.exe	109
PID 1556 wrote to memory of 4972	1556	FormatFactory.exe	109
PID 4228 wrote to memory of 2428	4228	Format Factory 4.3.0.0.exe	99
PID 4228 wrote to memory of 2428	4228	Format Factory 4.3.0.0.exe	99
PID 1556 wrote to memory of 4880	1556	FormatFactory.exe	104
PID 1556 wrote to memory of 4880	1556	FormatFactory.exe	104
PID 1556 wrote to memory of 4880	1556	FormatFactory.exe	104
PID 2428 wrote to memory of 4776	2428	msedge.exe	103
PID 2428 wrote to memory of 4776	2428	msedge.exe	103
PID 1556 wrote to memory of 620	1556	FormatFactory.exe	101
PID 1556 wrote to memory of 620	1556	FormatFactory.exe	101
PID 1556 wrote to memory of 620	1556	FormatFactory.exe	101
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106
PID 2428 wrote to memory of 2304	2428	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\Format Factory 4.3.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\Format Factory 4.3.0.0.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Program Files (x86)\FormatFactory\FFInst.exe
  "C:\Program Files (x86)\FormatFactory\FFInst.exe" /CloseApp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Format Factory" dir=in action=allow program="C:\Program Files (x86)\FormatFactory\FormatFactory.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5080
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="EBook Codec Downloader" dir=in action=allow program="C:\Program Files (x86)\FormatFactory\FFModules\Encoder\Doc\EBookCodec.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2332
- C:\Program Files (x86)\FormatFactory\FormatFactory.exe
  "C:\Program Files (x86)\FormatFactory\FormatFactory.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Program Files (x86)\FormatFactory\FFModules\Encoder\ffmpeg.exe
    "C:\Program Files (x86)\FormatFactory\FFModules\Encoder\ffmpeg.exe" /init
    3⤵
    - Executes dropped EXE
    PID:620
- - C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mplayer.exe
    "C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mplayer.exe" /init
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4880
- - C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mencoder.exe
    "C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mencoder.exe" /init
    3⤵
    - Executes dropped EXE
    PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ic-dc.hostingsoftwaredl.com/pr/5a15f7de-87f9-11e7-a538-028c2af6f378/typ_1.html
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8118846f8,0x7ff811884708,0x7ff811884718
    3⤵
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17514076003140752676,6637417166256584309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:2304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17514076003140752676,6637417166256584309,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17514076003140752676,6637417166256584309,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:8
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17514076003140752676,6637417166256584309,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
    3⤵
    PID:3028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17514076003140752676,6637417166256584309,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
    3⤵
    PID:2460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,17514076003140752676,6637417166256584309,131072 --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=5076 /prefetch:8
    3⤵
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17514076003140752676,6637417166256584309,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17514076003140752676,6637417166256584309,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
    3⤵
    PID:828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17514076003140752676,6637417166256584309,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
    3⤵
    PID:4828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FormatFactory\BCGCBPRO2500u120.dll

Filesize
8.6MB

MD5
7e14b27a4b9d98377fa92e10ee05ffa2

SHA1
9b35c3abb5b0114f2019149525dea08000e2a93d

SHA256
247b8d6340ec107023adc56e975c4ce89b243e2359276ddd9ac734d396dfbee2

SHA512
f0c46863539ec9668936279b9aa519e17142c8a05500960249655ae811a5a374b7f31274b21ee7dfdf46f6169a85857b9e85aa9047889ef37a786abd76daafc1

Download Submit
C:\Program Files (x86)\FormatFactory\BCGCBPRO2500u120.dll

Filesize
8.6MB

MD5
7e14b27a4b9d98377fa92e10ee05ffa2

SHA1
9b35c3abb5b0114f2019149525dea08000e2a93d

SHA256
247b8d6340ec107023adc56e975c4ce89b243e2359276ddd9ac734d396dfbee2

SHA512
f0c46863539ec9668936279b9aa519e17142c8a05500960249655ae811a5a374b7f31274b21ee7dfdf46f6169a85857b9e85aa9047889ef37a786abd76daafc1

Download Submit
C:\Program Files (x86)\FormatFactory\BCGCBPRO2500u120.dll

Filesize
8.6MB

MD5
7e14b27a4b9d98377fa92e10ee05ffa2

SHA1
9b35c3abb5b0114f2019149525dea08000e2a93d

SHA256
247b8d6340ec107023adc56e975c4ce89b243e2359276ddd9ac734d396dfbee2

SHA512
f0c46863539ec9668936279b9aa519e17142c8a05500960249655ae811a5a374b7f31274b21ee7dfdf46f6169a85857b9e85aa9047889ef37a786abd76daafc1

Download Submit
C:\Program Files (x86)\FormatFactory\FFImage.dll

Filesize
3.6MB

MD5
a9d115c89f14bb7d3d32ba96cfa9ae7a

SHA1
a2ab00097fdabae31ddf7b058e0eb08fcb96c988

SHA256
546787f040d1c8216f9720d10a585489628ad2056d967447b7f5a6ed81ec19dd

SHA512
a3d95f7684a2e3dc9319c69613c283e35e8b3ce0514d7aae2f0162a3911a089c7e672324e6d80ccabd907fb4fbca50c0ad890c63ad587b6a7ed2a7e29b04fa29

Download Submit
C:\Program Files (x86)\FormatFactory\FFImage.dll

Filesize
3.6MB

MD5
a9d115c89f14bb7d3d32ba96cfa9ae7a

SHA1
a2ab00097fdabae31ddf7b058e0eb08fcb96c988

SHA256
546787f040d1c8216f9720d10a585489628ad2056d967447b7f5a6ed81ec19dd

SHA512
a3d95f7684a2e3dc9319c69613c283e35e8b3ce0514d7aae2f0162a3911a089c7e672324e6d80ccabd907fb4fbca50c0ad890c63ad587b6a7ed2a7e29b04fa29

Download Submit
C:\Program Files (x86)\FormatFactory\FFInst.exe

Filesize
66KB

MD5
627aa098c50e6b29d333add6a47ddd42

SHA1
29f0a805bb0cea1c1261eade453b011c31071dad

SHA256
a7bfd5c47d4a4d70c5b61a0e0cf82bf837fdda2e0fe318335082042ee0c8c47c

SHA512
9964d36c025a82fbab33c13b2a24683d6b1383ca0e7aa2ffcac550a70aa38f59f83efcd2fe2f317dba08287889d60bdd06d59e03c579d4f8767a312dc8b82764

Download Submit
C:\Program Files (x86)\FormatFactory\FFInst.exe

Filesize
66KB

MD5
627aa098c50e6b29d333add6a47ddd42

SHA1
29f0a805bb0cea1c1261eade453b011c31071dad

SHA256
a7bfd5c47d4a4d70c5b61a0e0cf82bf837fdda2e0fe318335082042ee0c8c47c

SHA512
9964d36c025a82fbab33c13b2a24683d6b1383ca0e7aa2ffcac550a70aa38f59f83efcd2fe2f317dba08287889d60bdd06d59e03c579d4f8767a312dc8b82764

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\ffmpeg.exe

Filesize
32.3MB

MD5
f8f99e9f8ddc31ce42078693b632147c

SHA1
bba52cbcd541c7b45f2e52ab3d9b215743e0a436

SHA256
4b0d9db94442e06e09d27b2f9cd96956c51a661b5078ad8247dada8a43412aea

SHA512
040f5dbe7b8bca49fc7ce6e2efbeaeb6cb5a25ae57c58784656aec162d190e6db76bb73d7f7616daac307c77d4493696d316f0b34f3b2d5e24b796e0aea4d8f7

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\ffmpeg.exe

Filesize
32.3MB

MD5
f8f99e9f8ddc31ce42078693b632147c

SHA1
bba52cbcd541c7b45f2e52ab3d9b215743e0a436

SHA256
4b0d9db94442e06e09d27b2f9cd96956c51a661b5078ad8247dada8a43412aea

SHA512
040f5dbe7b8bca49fc7ce6e2efbeaeb6cb5a25ae57c58784656aec162d190e6db76bb73d7f7616daac307c77d4493696d316f0b34f3b2d5e24b796e0aea4d8f7

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\10-autohint.conf

Filesize
481B

MD5
ffa85c71161c3e8f5b8c631cca321ddf

SHA1
fc66c6fc7f4c968031fe4e72ede989f6abd494a2

SHA256
19dea93ac433aefad111ca41b8738b0582d2ac7bfef87aa50cca3a4b62f6101a

SHA512
4f5f665d7d9d8c6d7bfb8a8d11751895482a7c216bc91b3f969c2adca9df0d34b1c856375116c83fda6dfdb890d5b5f2f0a6433e41fe2808c319abd8669f1e0f

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\10-scale-bitmap-fonts.conf

Filesize
1KB

MD5
b19465d66bd1530132fb1a397e538346

SHA1
17b63216ce83e273bcdcd48339064544fbb03182

SHA256
4cf7aa43a43a90445816f275e34992f3563db4468ef588874440d61546485702

SHA512
1d9ed37e2d81a786e6d0ea6ad9da5db285657e598f38f72da884dc0f2e6f221eef95e6cdf08ddd117b81ed64425d6f49ca5cf21c3d2a38d0f039d51b0754825e

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\20-unhint-small-vera.conf

Filesize
1KB

MD5
6fb496d0bb963a54d5db870955ddd771

SHA1
ed5aad6fb90c695625c92e5b428f73cbe54853bc

SHA256
855e1f86a70170982cda0e796e407173c81e4033537ccb6fa899f638a324ef60

SHA512
84e0fd8100acf92a19b2d2c660fc14b297c826c71b911dcfc8c13fdf391c80ac29c96b2634fe75a280c929a2c41024a257135cfdb9272a699c9099d1f11638bd

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\25-unhint-nonlatin.conf

Filesize
3KB

MD5
a5379350710f56a807962f3f06d3ffc1

SHA1
ed558a6d38e75c324f05f4b0f644e56c3811948d

SHA256
d074be03d0613eb6aa4037c97fc48234e8340a36262f528e09583e65031cc1fc

SHA512
f6a77e3aee5aea0e8574e419a5796c9549ab99d358b9d2ef1cc42a91fdba8b6c0ea6db0fc809d3f70cd4c4511c61dcaa58aa3e1d065012a772c18bc35e5ad517

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\30-metric-aliases.conf

Filesize
4KB

MD5
08be66fa3848e05b8a2cc7f2cb686ec4

SHA1
217975a4bd720e6e4aca7e537821bc9b6935871c

SHA256
a6af6e184140d23783cdadede8d78baa33c86c6ec6bab98ba520c375bfaac45d

SHA512
50e1df1933451fcfa27ac34a65903fccd52bb8b764b7816b67912dc67abbe5415c7f8577951bb349d9e7846daa24166a3c0efcf8d4ae472710755c64385c8298

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\30-urw-aliases.conf

Filesize
1KB

MD5
2f32a914ae3f96879b92a286410c8bf6

SHA1
a9aa9be9d8de2e5dd744f3fac4e005e4fe8ff8a3

SHA256
ff6c975fd9716d7671f8f71bab93ae35a42f848c67b76b0b5044d1dd615b288f

SHA512
ad14eb45bb230fc97e2eb790e1af3c200b8006779eb29d33ffee8a4470d59ef51efc91b3605be2354f3036e44616c4407b27f1749db1ebf50d996a8cb2a941c5

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\40-nonlatin.conf

Filesize
5KB

MD5
0713f646aa4c80d5d67c0799653ecc17

SHA1
79381db2cddd3cf7064180f45103d5511e7e874e

SHA256
96883a4ec25fe27cc7e608e34a2b0928c6572263c60fdd1a4d10c7cac4a04683

SHA512
01fbd3920a657c5971af79d03e16585c727b9bf04301d85fde2f1dc43771bd8545c8139b59b209ce9f5875e51d564fe679360dd10eeaace2b1a4a77aa48f6785

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\45-latin.conf

Filesize
3KB

MD5
1ff85af0c7ab2e880cea90ed0915b4bf

SHA1
b917b501408db1477c0042a998cbddee77d54a3b

SHA256
c7970d3799402973885b070c97bc91efa9e3680eb26390fff557dcfd37cb2fcc

SHA512
68215a8b0d5759c30782a8244aabd75171d8fd17011baa4aad74a28a87235374619c46248cd26beb26818535f7289361a1e4244ec0502999d1c60245a7fb07ce

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\49-sansserif.conf

Filesize
545B

MD5
22278b0b48e5864d9c7fcbc178da0db3

SHA1
fe066f8153c5e679ef711500bb213f691fe4b373

SHA256
ac32c6de350ff1c7945c31bf55eb89aa00c2198f65c92f89479f552dbce82090

SHA512
137d5fa18c5dc87701d35c53979a7e8c9993bfa0a50a2e6fdec3138d9e17f66255317191ceb918be1fb64354fd101a01c6864b8507d0291c6bd2508c752f69e2

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\50-user.conf

Filesize
673B

MD5
d01cf387e9d7ebacb173629853094d76

SHA1
5a2d5670a68cbaf4750634950d9af8b949053fe3

SHA256
572980e97c21390386bda4d49da677fd99afbede5b2f63e4ea50d47696a8f8b4

SHA512
57b4f9f8f5458e50dba5ed7c06de635e4770bbec9460bfa28d1c13d29dc5c8425e70e60f26afc410e551dda59a115e8b6de85d83820d408d3e8e4020ea4e7ccd

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\51-local.conf

Filesize
189B

MD5
a2fa562c168c2c4cc0c2480bfdc0f8eb

SHA1
f0530a14ca3ecc1db9072b6aead895442b1c05c3

SHA256
cff7fa2a5fec9dc6e4b96df901a5763b02f7da3bd1636f62b261f71ec06dcc71

SHA512
e612afb1864abad50c8f52f66733a2642bd79091410833c9f5a7fb975136fb7303c16eafe4469c7da9ec3b08a6d2ff52ecbd538f8feb57c0d57cd61a0de49a26

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\60-latin.conf

Filesize
1KB

MD5
d9208e27c6dea86dabae2f777f53f6df

SHA1
3d3f14211f9409243c388741396e5dd9302fb7e0

SHA256
c4483fde4fbba192fac2fb9d146efe9c9ac9b5c6869cb21e4e783a22ac9aff30

SHA512
e3fa590ca22de276429c147f3c704936d39c25f3bbb89b05b39fb25bb035a438070eabd0343cf0ae751d63be6da9d98697608505da9624a3a721b5eedccb64c9

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\65-fonts-persian.conf

Filesize
9KB

MD5
4600ab82eed76e726bffb2fc99d1f1b7

SHA1
b00c323a8d58208679274ee18cdca5bf27e45d70

SHA256
e02d797787df6b54e81d77aa8e8a75bcd59b866802fb43b06105d66376efd30d

SHA512
c9ee7afd0a358d969adf02b857d35d4377f75df5ce676b8de02c6f8583e7f9197b54ebd5d74bfa5fa64e1c46e3b95566f3040ee499811e86128dc442ea8816ee

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\65-nonlatin.conf

Filesize
7KB

MD5
1470f5cee12ee55b9a807e41a2495bf9

SHA1
67fa01cfa3e517a2181c53ced2d3b8f6cd1954ae

SHA256
cfc9c510f9192c76532bf9016e105ede9dc183b9d88b1e8d78ca5842968cddb0

SHA512
2f2995d95a6007038b913bea2898a8ea4ba3e9a3d5216eb377d0fcea0b858f54e1d5c6b71e4f2d54081d98927623f230efddace62d990afa7b5337b2195238c5

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\69-unifont.conf

Filesize
672B

MD5
49a6cb52e1cf23e0f691807a3e8c105d

SHA1
d2071f2dc0c21218ac884f745e37f4b7c8ff2c31

SHA256
7d001e8289d1af7a0f095b3c5646347a68c6586b989312ffa3059f92213678e5

SHA512
2597c656f0ed12a89dd10e70aa51299021392df45ee9d2d395f0c32340ca9b935a41ea8cec8254cc195cd78545eb4a08156ebc3f4cb78d602ba4203fc352df3e

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\70-no-bitmaps.conf

Filesize
263B

MD5
dccfa658875eea3b30514d7a8bc306bc

SHA1
ded7c98613e70f22ecfe1f6b465236603bad3336

SHA256
b1d755a293433dd7d15120eb8aa79ac89db3ee91c0aa674dff53768802a35aa8

SHA512
a5c26db172cf137da954e8d4514919f76a84b416dbf3117289c8f4872add14dd5fa81f96473666cff7bb6d5e471c8b198e9f8875de96e05b1eaabe8192009d18

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\80-delicious.conf

Filesize
422B

MD5
fcad9a0561af18b7965910ccea55453f

SHA1
2a524d61ea224a69417345c7e1f11c3d76374638

SHA256
046da4371f65c236aafc73ed33a924c61e55ff49dad9d9a51e79f519882d7fbd

SHA512
156b20af75443669f2ae7976c9f07697b7cade5c105fc8cb75d8731c55a736e8e0c624cb42c1f9633912cc16b0fd5d49e6e0fdf99560419f279ed68a4dd1df80

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\conf.d\90-synthetic.conf

Filesize
1KB

MD5
7659edb861f44ff8e9f4e31567d24e47

SHA1
686d2c581106d0f236ceb708cf24c98907f01b87

SHA256
bbea65e32cef73fcb80efa1b32fc54e31c31477d808a8b206682f1ab06baa523

SHA512
a0dca254fb22266624c1bb4f0a487c0164fb0271e64f5e45db943315951f82f3a4f2df734ad61745ceecd5c5da683e1960f039eda8060e3d2e0c01618b8bd909

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\fonts\fonts.conf

Filesize
5KB

MD5
ad887aa2308cbde3ac34afccd16e0f24

SHA1
e73400970999f74d20b835564e48616cebdb61c1

SHA256
03a94d8cc049d03ef6fbcc906a8082c8458a217a2f547a3faf5044c9f9e197fa

SHA512
9254a470767f351e494bb7342a60ee4efbb99b8832474e1e48813447812a871d9b1409a8b8802df8639463090e4bcc782ee76cf9d936f1d6bc28f3c1f32a46ad

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mencoder.exe

Filesize
26.1MB

MD5
e46aefcdeba94119d70c00c564da1984

SHA1
865af31f684d01cdc8f0c2d9336b9137cae9df80

SHA256
bd528c3beff7e47be0603f8180f1054f380944136ca6590b7c1a522f2b9ee05b

SHA512
22c23af4911bfa68677c11f7c49eeaa5604dc6304f7e5c5533df05659d23a77c4737acace151b38fb535b1af786c2dacf1ba446bf6e43eed8f7ecb10b19ad86b

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mencoder.exe

Filesize
26.1MB

MD5
e46aefcdeba94119d70c00c564da1984

SHA1
865af31f684d01cdc8f0c2d9336b9137cae9df80

SHA256
bd528c3beff7e47be0603f8180f1054f380944136ca6590b7c1a522f2b9ee05b

SHA512
22c23af4911bfa68677c11f7c49eeaa5604dc6304f7e5c5533df05659d23a77c4737acace151b38fb535b1af786c2dacf1ba446bf6e43eed8f7ecb10b19ad86b

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mplayer.exe

Filesize
27.6MB

MD5
fa2b89fc925e52b5c376a6cdb9282f5f

SHA1
9a20469022b1146ea255b59c3ff9510f2129479f

SHA256
0d8d0551c9781b9b70368f85e1b84897517c0222ce6e9ae4004ceb24284e5196

SHA512
96d73ec9dbeebfb8d5261cc0dd2302162042ada72f0513ab829d8e7e07d823bd8c2f9cdb93eaa2ab06cc29a4df28e197f84b3135190543268a60ccef22a6e103

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mplayer.exe

Filesize
27.6MB

MD5
fa2b89fc925e52b5c376a6cdb9282f5f

SHA1
9a20469022b1146ea255b59c3ff9510f2129479f

SHA256
0d8d0551c9781b9b70368f85e1b84897517c0222ce6e9ae4004ceb24284e5196

SHA512
96d73ec9dbeebfb8d5261cc0dd2302162042ada72f0513ab829d8e7e07d823bd8c2f9cdb93eaa2ab06cc29a4df28e197f84b3135190543268a60ccef22a6e103

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mplayer\config

Filesize
762B

MD5
5c4a0e19357b882b57d9a866179ff765

SHA1
f48a3dbcb8bf0b0e83ae968cab2c756e4d1b5c2a

SHA256
f44be843730b8509b7b053f8a15b9c25287e546634b85d74282ffe12056f08c5

SHA512
0eb40976a6ddb9395ed6e107725f73bbbd2e9174afdebc6e6b027ce7081538b7ed966bacbbf1e963de658b63a1914577bbd8c62d8f65b3323c78001b1817fad8

Download Submit
C:\Program Files (x86)\FormatFactory\FFModules\Encoder\mplayer\input.conf

Filesize
4KB

MD5
6ef797da7faf5660a7caeaa04040810c

SHA1
8279db06ef71a00af5f2df58e79c76cc5e295a55

SHA256
a951c831a503052a5e9db2d17e67f7beced73a62e241f83a551f1ba726d9d5d0

SHA512
f208fffae0a0127aea5cea4864a15bc41488759386118be1b0ec5b2ac90a163c877337addd8b3073debb79a1e123cf94caf5a4734ea5a2557dce35364569031e

Download Submit
C:\Program Files (x86)\FormatFactory\FFUILib.dll

Filesize
2.9MB

MD5
82df05654c983c09d3296ce7ef0a0d36

SHA1
a9b427185aa59927d7aafe4b3cf780b3d5b14de9

SHA256
7c91387f1f3f679c664852445fcae68741168905c12cb1799473d1addaddcef9

SHA512
f9aeacd29e26bc25403924263f17d80a41d99b5f2add01a0ad028866e47b3b723389c73c4ffa296ab18e1e120724db4cba71597046642d9f14e6225a733ad6ef

Download Submit
C:\Program Files (x86)\FormatFactory\FFUILib.dll

Filesize
2.9MB

MD5
82df05654c983c09d3296ce7ef0a0d36

SHA1
a9b427185aa59927d7aafe4b3cf780b3d5b14de9

SHA256
7c91387f1f3f679c664852445fcae68741168905c12cb1799473d1addaddcef9

SHA512
f9aeacd29e26bc25403924263f17d80a41d99b5f2add01a0ad028866e47b3b723389c73c4ffa296ab18e1e120724db4cba71597046642d9f14e6225a733ad6ef

Download Submit
C:\Program Files (x86)\FormatFactory\FTMod.dll

Filesize
2.5MB

MD5
b286e760501847dc2871f2ecbd0eb0a4

SHA1
4cc44b5ea648e8df02d3aeb12afd63c409939afc

SHA256
0d680d459e326085d62e15fdaa3844429e40fcb95905d9adea4ff6bcab03ae0c

SHA512
08d9237aefe307b9c49289ccac8e9895bd37a7211bd828f37efa6e5c679891f60ac29de0b95ac47f64cbc8902d1ee6ffada21924c6ae89a277aee8afd06d5845

Download Submit
C:\Program Files (x86)\FormatFactory\FTMod.dll

Filesize
2.5MB

MD5
b286e760501847dc2871f2ecbd0eb0a4

SHA1
4cc44b5ea648e8df02d3aeb12afd63c409939afc

SHA256
0d680d459e326085d62e15fdaa3844429e40fcb95905d9adea4ff6bcab03ae0c

SHA512
08d9237aefe307b9c49289ccac8e9895bd37a7211bd828f37efa6e5c679891f60ac29de0b95ac47f64cbc8902d1ee6ffada21924c6ae89a277aee8afd06d5845

Download Submit
C:\Program Files (x86)\FormatFactory\FormatFactory.exe

Filesize
4.2MB

MD5
290236505d1c94c4ab14945ead8395d1

SHA1
4f54a0d734a0f888a5efc49448a710737806d63c

SHA256
219974ff837a489367a7ed4d3440ef94c8c3cfa7e8bdb2b0fea8bfa7baf21172

SHA512
4133c6d574de49b813cec94701951c78e18fa4432b157d453d2698cb69d1d50f0cf020bfa0038450b76d0a3eb110c32e9241cbae0148a534f5e78436f707cd16

Download Submit
C:\Program Files (x86)\FormatFactory\FormatFactory.exe

Filesize
4.2MB

MD5
290236505d1c94c4ab14945ead8395d1

SHA1
4f54a0d734a0f888a5efc49448a710737806d63c

SHA256
219974ff837a489367a7ed4d3440ef94c8c3cfa7e8bdb2b0fea8bfa7baf21172

SHA512
4133c6d574de49b813cec94701951c78e18fa4432b157d453d2698cb69d1d50f0cf020bfa0038450b76d0a3eb110c32e9241cbae0148a534f5e78436f707cd16

Download Submit
C:\Program Files (x86)\FormatFactory\Language\Language.lst

Filesize
3KB

MD5
77402b74110c76cc67e7563361fb8c42

SHA1
1ea84fc62ed286696b2e880e7e65ecbceb118bfd

SHA256
18ec4a972e54d4e6976ea0ae77ab8f2d6d2fc406395f7602af03311664ec593b

SHA512
7d30bd4ef1c2e510a6394746f9a7d2cf778416d76efa7fb8b44898c11676e9d7439dbd3a50a34ce584941360c7d34aff357842c86a579da718953366553221c4

Download Submit
C:\Program Files (x86)\FormatFactory\Language\Spanish-Traditional.txt

Filesize
24KB

MD5
f387b54bf84cc5c05caca670f589f69e

SHA1
f02d5f59573d20141f193bcb59121226c7537094

SHA256
ed530a23d97b0f7c2b798939273dc334e317a25ad458a6b00d34915f319314c4

SHA512
d22317aecce40f299557daec6ae62107a999f0c07eb25ed878d03320fd97d8ba9165afd66b81de3f4527a16b8d4ff6ffc4dba5ef2d3b5b898c88d5ca6af57db9

Download Submit
C:\Program Files (x86)\FormatFactory\MSVCP120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Program Files (x86)\FormatFactory\MSVCR120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Program Files (x86)\FormatFactory\MediaInfo.dll

Filesize
4.4MB

MD5
8750483a0cac82fefd10c36844805df0

SHA1
c72ac7d462802e8cb2643e5fa305f053821799eb

SHA256
4db21dd625adad7f720d1294f2a4d01bbbd741a72ae67935c35d286f5e4294a5

SHA512
3d14fddfbce023cb2c43f049155e3a73759d91010ca9a0d646c741e004e87baf571c00a5b820b90f22f40ec52da917cf2faae80fcf5868cd5f10b92c836df28d

Download Submit
C:\Program Files (x86)\FormatFactory\MediaInfo.dll

Filesize
4.4MB

MD5
8750483a0cac82fefd10c36844805df0

SHA1
c72ac7d462802e8cb2643e5fa305f053821799eb

SHA256
4db21dd625adad7f720d1294f2a4d01bbbd741a72ae67935c35d286f5e4294a5

SHA512
3d14fddfbce023cb2c43f049155e3a73759d91010ca9a0d646c741e004e87baf571c00a5b820b90f22f40ec52da917cf2faae80fcf5868cd5f10b92c836df28d

Download Submit
C:\Program Files (x86)\FormatFactory\mfc120u.dll

Filesize
4.2MB

MD5
f4f2a4c459dd3aa22dd3984d13b15746

SHA1
d52dc1af7bf7eca1520380fac01f8ab225b11aa3

SHA256
c2d0e285e2333a9c620be04a5747881af0d5615da32226886e659ff31a9761cc

SHA512
3cef3f80a86c6247a4ee247b1887a612d3bd7c7a4a2270887521140d83f251293b7eb79ac41daa2e82d6083c5f7242cbed7bc77f0204be85d65762647bcf5b4c

Download Submit
C:\Program Files (x86)\FormatFactory\mfc120u.dll

Filesize
4.2MB

MD5
f4f2a4c459dd3aa22dd3984d13b15746

SHA1
d52dc1af7bf7eca1520380fac01f8ab225b11aa3

SHA256
c2d0e285e2333a9c620be04a5747881af0d5615da32226886e659ff31a9761cc

SHA512
3cef3f80a86c6247a4ee247b1887a612d3bd7c7a4a2270887521140d83f251293b7eb79ac41daa2e82d6083c5f7242cbed7bc77f0204be85d65762647bcf5b4c

Download Submit
C:\Program Files (x86)\FormatFactory\msvcp120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Program Files (x86)\FormatFactory\msvcp120.dll

Filesize
444KB

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Program Files (x86)\FormatFactory\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Program Files (x86)\FormatFactory\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Program Files (x86)\FormatFactory\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAAAE.tmp\Fusion.dll

Filesize
992KB

MD5
27ea8766826498157cd7cf0d24c17310

SHA1
c42ebaddfb32dfaefd9b86025f91055434baaba1

SHA256
647acf31e049389d2ccf10f586f6636d840db8de5674f74b0c699008b7ce602a

SHA512
ac0539263ffc1b7669e7265b89f7f34e3a96c763b1cf833c7487a8e0d4dbb64b82f6ee77e2d9a1045b82bebc3b687ae9ebbc2c1ccf662e9b21cf3611f2effded

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAAAE.tmp\Fusion.dll

Filesize
992KB

MD5
27ea8766826498157cd7cf0d24c17310

SHA1
c42ebaddfb32dfaefd9b86025f91055434baaba1

SHA256
647acf31e049389d2ccf10f586f6636d840db8de5674f74b0c699008b7ce602a

SHA512
ac0539263ffc1b7669e7265b89f7f34e3a96c763b1cf833c7487a8e0d4dbb64b82f6ee77e2d9a1045b82bebc3b687ae9ebbc2c1ccf662e9b21cf3611f2effded

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAAAE.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAAAE.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAAAE.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
memory/4228-136-0x0000000008F00000-0x00000000090A6000-memory.dmp

Filesize
1.6MB

Download
memory/4228-135-0x0000000008900000-0x00000000089FC000-memory.dmp

Filesize
1008KB

Download
memory/4228-142-0x0000000008FDD000-0x00000000090A5000-memory.dmp

Filesize
800KB

Download
memory/4228-141-0x0000000008B00000-0x0000000008C00000-memory.dmp

Filesize
1024KB

Download
memory/4228-140-0x0000000008F00000-0x00000000090A6000-memory.dmp

Filesize
1.6MB

Download
memory/4228-139-0x0000000008F00000-0x00000000090A6000-memory.dmp

Filesize
1.6MB

Download
memory/4228-146-0x000000000F7D1000-0x000000000F7D3000-memory.dmp

Filesize
8KB

Download
memory/4228-143-0x0000000008F01000-0x0000000008FDD000-memory.dmp

Filesize
880KB

Download
memory/4228-152-0x0000000008B00000-0x0000000008C00000-memory.dmp

Filesize
1024KB

Download
memory/4228-153-0x0000000008FDD000-0x00000000090A5000-memory.dmp

Filesize
800KB

Download
memory/4228-217-0x0000000008FDD000-0x00000000090A5000-memory.dmp

Filesize
800KB

Download