vidar | 2ddc5ba89d79c752e61e07956f00419dbcee56f34589ca62628dc87d30343860

Analysis

max time kernel
148s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0xds.exe
Size

11.4MB
MD5

bdb7e2090cd4cb5e75d7701b51769f40
SHA1

accaafb67f13135bdb27b43641f4151360d6c89c
SHA256

2ddc5ba89d79c752e61e07956f00419dbcee56f34589ca62628dc87d30343860
SHA512

06a33313ef1ede5a3082968f7ff29d31a90bb5c1570571b6fca4580b277ea7fad6c068403068d282c4e8fa9bad5811c5d4d3cef5075cf983143521cea3bcff3f
SSDEEP

196608:TvGacofn0NPExHJwtbq70rkOdc8nK1lK3XUU+7ZlMjn7og871zmvQIvQyMIoVGHc:Tveof0N8UJqGkgEFkog87MhvN0GHc

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0009000000015cf2-133.dat	family_vidar_v7
behavioral1/memory/1808-142-0x0000000000300000-0x0000000000557000-memory.dmp	family_vidar_v7
behavioral1/memory/1808-788-0x0000000000300000-0x0000000000557000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2796	Patch.exe
2032	fcproinstall.exe
900	fcproinstall.tmp
1808	WindowsNetwork.exe

Loads dropped DLL 13 IoCs

pid	Process
2428	0xds.exe
2428	0xds.exe
1052	MsiExec.exe
1804	MsiExec.exe
1804	MsiExec.exe
1804	MsiExec.exe
1804	MsiExec.exe
2428	0xds.exe
2032	fcproinstall.exe
1128	RegAsm.exe
1128	RegAsm.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	0xds.exe
File opened (read-only)	\??\Y:	0xds.exe
File opened (read-only)	\??\N:	0xds.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	0xds.exe
File opened (read-only)	\??\M:	0xds.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	0xds.exe
File opened (read-only)	\??\L:	0xds.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	0xds.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	0xds.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	0xds.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	0xds.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	0xds.exe
File opened (read-only)	\??\O:	0xds.exe
File opened (read-only)	\??\U:	0xds.exe
File opened (read-only)	\??\X:	0xds.exe
File opened (read-only)	\??\Z:	0xds.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	0xds.exe
File opened (read-only)	\??\T:	0xds.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	0xds.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	0xds.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	0xds.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 1128	2796	Patch.exe	42

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\fcproinstall\fcproinstall\fcproinstall.exe	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID09C.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76cd1f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE87.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSICD7C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF63.tmp	msiexec.exe
File created	C:\Windows\Installer\f76cd24.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76cd22.ipi	msiexec.exe
File created	C:\Windows\Installer\f76cd1f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE0A.tmp	msiexec.exe
File created	C:\Windows\Installer\f76cd22.ipi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0xds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcproinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Patch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcproinstall.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsNetwork.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsNetwork.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WindowsNetwork.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2172	timeout.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0CFE4FA780CC63C4D8B7276BA6A6D447	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0CFE4FA780CC63C4D8B7276BA6A6D447\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\PackageCode = "A7E278B8F5E89CD40BBE07C3F9A6AB63"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BED167C29F693FD4BA7BC1C9F40DC3E0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\SourceList\PackageName = "fcproinstall.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\fcproinstall\\fcproinstall 1.0.0\\install\\A6A4D74\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\ProductName = "fcproinstall"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\fcproinstall\\fcproinstall 1.0.0\\install\\A6A4D74\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BED167C29F693FD4BA7BC1C9F40DC3E0\0CFE4FA780CC63C4D8B7276BA6A6D447	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0CFE4FA780CC63C4D8B7276BA6A6D447\SourceList	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	WindowsNetwork.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	WindowsNetwork.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	WindowsNetwork.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2228	msiexec.exe
2228	msiexec.exe
1704	powershell.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe
1808	WindowsNetwork.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
900	fcproinstall.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeSecurityPrivilege	2228	msiexec.exe
Token: SeCreateTokenPrivilege	2428	0xds.exe
Token: SeAssignPrimaryTokenPrivilege	2428	0xds.exe
Token: SeLockMemoryPrivilege	2428	0xds.exe
Token: SeIncreaseQuotaPrivilege	2428	0xds.exe
Token: SeMachineAccountPrivilege	2428	0xds.exe
Token: SeTcbPrivilege	2428	0xds.exe
Token: SeSecurityPrivilege	2428	0xds.exe
Token: SeTakeOwnershipPrivilege	2428	0xds.exe
Token: SeLoadDriverPrivilege	2428	0xds.exe
Token: SeSystemProfilePrivilege	2428	0xds.exe
Token: SeSystemtimePrivilege	2428	0xds.exe
Token: SeProfSingleProcessPrivilege	2428	0xds.exe
Token: SeIncBasePriorityPrivilege	2428	0xds.exe
Token: SeCreatePagefilePrivilege	2428	0xds.exe
Token: SeCreatePermanentPrivilege	2428	0xds.exe
Token: SeBackupPrivilege	2428	0xds.exe
Token: SeRestorePrivilege	2428	0xds.exe
Token: SeShutdownPrivilege	2428	0xds.exe
Token: SeDebugPrivilege	2428	0xds.exe
Token: SeAuditPrivilege	2428	0xds.exe
Token: SeSystemEnvironmentPrivilege	2428	0xds.exe
Token: SeChangeNotifyPrivilege	2428	0xds.exe
Token: SeRemoteShutdownPrivilege	2428	0xds.exe
Token: SeUndockPrivilege	2428	0xds.exe
Token: SeSyncAgentPrivilege	2428	0xds.exe
Token: SeEnableDelegationPrivilege	2428	0xds.exe
Token: SeManageVolumePrivilege	2428	0xds.exe
Token: SeImpersonatePrivilege	2428	0xds.exe
Token: SeCreateGlobalPrivilege	2428	0xds.exe
Token: SeCreateTokenPrivilege	2428	0xds.exe
Token: SeAssignPrimaryTokenPrivilege	2428	0xds.exe
Token: SeLockMemoryPrivilege	2428	0xds.exe
Token: SeIncreaseQuotaPrivilege	2428	0xds.exe
Token: SeMachineAccountPrivilege	2428	0xds.exe
Token: SeTcbPrivilege	2428	0xds.exe
Token: SeSecurityPrivilege	2428	0xds.exe
Token: SeTakeOwnershipPrivilege	2428	0xds.exe
Token: SeLoadDriverPrivilege	2428	0xds.exe
Token: SeSystemProfilePrivilege	2428	0xds.exe
Token: SeSystemtimePrivilege	2428	0xds.exe
Token: SeProfSingleProcessPrivilege	2428	0xds.exe
Token: SeIncBasePriorityPrivilege	2428	0xds.exe
Token: SeCreatePagefilePrivilege	2428	0xds.exe
Token: SeCreatePermanentPrivilege	2428	0xds.exe
Token: SeBackupPrivilege	2428	0xds.exe
Token: SeRestorePrivilege	2428	0xds.exe
Token: SeShutdownPrivilege	2428	0xds.exe
Token: SeDebugPrivilege	2428	0xds.exe
Token: SeAuditPrivilege	2428	0xds.exe
Token: SeSystemEnvironmentPrivilege	2428	0xds.exe
Token: SeChangeNotifyPrivilege	2428	0xds.exe
Token: SeRemoteShutdownPrivilege	2428	0xds.exe
Token: SeUndockPrivilege	2428	0xds.exe
Token: SeSyncAgentPrivilege	2428	0xds.exe
Token: SeEnableDelegationPrivilege	2428	0xds.exe
Token: SeManageVolumePrivilege	2428	0xds.exe
Token: SeImpersonatePrivilege	2428	0xds.exe
Token: SeCreateGlobalPrivilege	2428	0xds.exe
Token: SeCreateTokenPrivilege	2428	0xds.exe
Token: SeAssignPrimaryTokenPrivilege	2428	0xds.exe
Token: SeLockMemoryPrivilege	2428	0xds.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2428	0xds.exe
2828	msiexec.exe
2828	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1052	2228	msiexec.exe	31
PID 2228 wrote to memory of 1052	2228	msiexec.exe	31
PID 2228 wrote to memory of 1052	2228	msiexec.exe	31
PID 2228 wrote to memory of 1052	2228	msiexec.exe	31
PID 2228 wrote to memory of 1052	2228	msiexec.exe	31
PID 2228 wrote to memory of 1052	2228	msiexec.exe	31
PID 2228 wrote to memory of 1052	2228	msiexec.exe	31
PID 2428 wrote to memory of 2828	2428	0xds.exe	32
PID 2428 wrote to memory of 2828	2428	0xds.exe	32
PID 2428 wrote to memory of 2828	2428	0xds.exe	32
PID 2428 wrote to memory of 2828	2428	0xds.exe	32
PID 2428 wrote to memory of 2828	2428	0xds.exe	32
PID 2428 wrote to memory of 2828	2428	0xds.exe	32
PID 2428 wrote to memory of 2828	2428	0xds.exe	32
PID 2228 wrote to memory of 1804	2228	msiexec.exe	37
PID 2228 wrote to memory of 1804	2228	msiexec.exe	37
PID 2228 wrote to memory of 1804	2228	msiexec.exe	37
PID 2228 wrote to memory of 1804	2228	msiexec.exe	37
PID 2228 wrote to memory of 1804	2228	msiexec.exe	37
PID 2228 wrote to memory of 1804	2228	msiexec.exe	37
PID 2228 wrote to memory of 1804	2228	msiexec.exe	37
PID 2228 wrote to memory of 2796	2228	msiexec.exe	38
PID 2228 wrote to memory of 2796	2228	msiexec.exe	38
PID 2228 wrote to memory of 2796	2228	msiexec.exe	38
PID 2228 wrote to memory of 2796	2228	msiexec.exe	38
PID 2228 wrote to memory of 2796	2228	msiexec.exe	38
PID 2228 wrote to memory of 2796	2228	msiexec.exe	38
PID 2228 wrote to memory of 2796	2228	msiexec.exe	38
PID 2796 wrote to memory of 1704	2796	Patch.exe	40
PID 2796 wrote to memory of 1704	2796	Patch.exe	40
PID 2796 wrote to memory of 1704	2796	Patch.exe	40
PID 2796 wrote to memory of 1704	2796	Patch.exe	40
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2796 wrote to memory of 1128	2796	Patch.exe	42
PID 2228 wrote to memory of 2032	2228	msiexec.exe	44
PID 2228 wrote to memory of 2032	2228	msiexec.exe	44
PID 2228 wrote to memory of 2032	2228	msiexec.exe	44
PID 2228 wrote to memory of 2032	2228	msiexec.exe	44
PID 2228 wrote to memory of 2032	2228	msiexec.exe	44
PID 2228 wrote to memory of 2032	2228	msiexec.exe	44
PID 2228 wrote to memory of 2032	2228	msiexec.exe	44
PID 2032 wrote to memory of 900	2032	fcproinstall.exe	45
PID 2032 wrote to memory of 900	2032	fcproinstall.exe	45
PID 2032 wrote to memory of 900	2032	fcproinstall.exe	45
PID 2032 wrote to memory of 900	2032	fcproinstall.exe	45
PID 2032 wrote to memory of 900	2032	fcproinstall.exe	45
PID 2032 wrote to memory of 900	2032	fcproinstall.exe	45
PID 2032 wrote to memory of 900	2032	fcproinstall.exe	45
PID 1128 wrote to memory of 1808	1128	RegAsm.exe	46
PID 1128 wrote to memory of 1808	1128	RegAsm.exe	46
PID 1128 wrote to memory of 1808	1128	RegAsm.exe	46
PID 1128 wrote to memory of 1808	1128	RegAsm.exe	46
PID 1808 wrote to memory of 1488	1808	WindowsNetwork.exe	49
PID 1808 wrote to memory of 1488	1808	WindowsNetwork.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0xds.exe
"C:\Users\Admin\AppData\Local\Temp\0xds.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\fcproinstall\fcproinstall 1.0.0\install\A6A4D74\fcproinstall.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\0xds.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1725424107 "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2828

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 15D7A4CF31DB9F63F538DD4E43D0A3B2 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 567FDC71288E7D8CE100245742C0DFB6
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Users\Admin\AppData\Roaming\WindowsActiveServices\Patch.exe
  "C:\Users\Admin\AppData\Roaming\WindowsActiveServices\Patch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVwBpAG4AZABvAHcAcwBBAGMAdABpAHYAZQBTAGUAcgB2AGkAYwBlAHMAXABQAGEAdABjAGgALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAFAAYQB0AGMAaAAuAGUAeABlADsA
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Users\Admin\AppData\Roaming\WindowsNetworkServices\WindowsNetwork.exe
      "C:\Users\Admin\AppData\Roaming\WindowsNetworkServices\WindowsNetwork.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCBGCGHDGIEG" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2172
- C:\Program Files (x86)\fcproinstall\fcproinstall\fcproinstall.exe
  "C:\Program Files (x86)\fcproinstall\fcproinstall\fcproinstall.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\is-FATL9.tmp\fcproinstall.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-FATL9.tmp\fcproinstall.tmp" /SL5="$A01C8,8669330,121344,C:\Program Files (x86)\fcproinstall\fcproinstall\fcproinstall.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2768

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000003D0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76cd23.rbs

Filesize
8KB

MD5
fa246ba509a03b61d1d9857af550aac6

SHA1
03b660882329742ce6012641dbc3b03c767ebb3e

SHA256
c86afeac15ecb70a772b8e35b5d062d07c5be301ab5af01b15a7d3960cc2fc11

SHA512
a69cdd0b0f45f23899d699aadcf24a283d0b83788e47543884409d0760e8e16a7928db10032508f6940f6618191e6076835a2c7a0063682d180d4ccb8288551c

Download Submit
C:\ProgramData\GCBGCGHDGIEG\JDGCFB

Filesize
12KB

MD5
bc0d675d4c5fbd6bf713e65eb7098cbf

SHA1
aa5048df2a05c775cda64b75752f384f60778620

SHA256
4bfecc5a840bea4c3803f05057620665d5d6f735d6cfc9e11bc9b0b44b6c79a4

SHA512
bef2e97a8d621d5fbc59750f84f768a7dfae3ccda3bfa903eac65e34eaa84772d128e96aa63a5c78c95c20ae885cebb7f4d318d5b145632f98203633c00caffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab44FE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar453F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\fcproinstall\fcproinstall 1.0.0\install\A6A4D74\AppDataFolder\WindowsActiveServices\Patch.exe

Filesize
439KB

MD5
5c71d85721484031e2caf286c1ed856d

SHA1
f856bd5367298b716eb883e727ec45fef3db7ef0

SHA256
5ea46f738d4a28b69243bf2b3bf57fd15a261d96348025d4ce17d860f19644c8

SHA512
eb77901879169410f1bfe6981c23312f0cd07be4aa8deaa24c20f374a833b7d29d99432e6c7ee8b44c219ce0758a5cd6a26c6f266b85c5e78f3f995c4cf4a378

Download Submit
C:\Users\Admin\AppData\Roaming\fcproinstall\fcproinstall 1.0.0\install\A6A4D74\fcproinstall.exe

Filesize
8.6MB

MD5
1c2b96c284a4b3e7b7d2f9fa438fa26f

SHA1
2bc4b6936a8a22fba48fcde053932e5ea73e9837

SHA256
6115d9356d8421d392f5eaa1516d7618e8c681036956ccc7132a76eca493c74c

SHA512
ad36e73ae4a820b67d787d0c1800536e5b3e167974385fb10f8788c8b891963003d563ee4db8e6897deb2103a4d8d7946a2d2628fbb5aebf80987729d1eae7e8

Download Submit
C:\Users\Admin\AppData\Roaming\fcproinstall\fcproinstall 1.0.0\install\A6A4D74\fcproinstall.msi

Filesize
1.1MB

MD5
b2f3126e0396807fa21245851545ca4b

SHA1
5d384f46b3021240094ecfc03fa41032fc86e7c7

SHA256
e5ff1a0434f1de5a65108b1ab5e29c93bd9513c63ea33911c7fc04884ccd00d1

SHA512
9e0d448dd5585e41c5c13711841de2bd5771b724be465ad6ae38d2a5b76e2f7c3e28fa6ae17a469fff22582f497b570d9394ff101a3c6b24bb3ae12de55c4c74

Download Submit
C:\Users\Admin\AppData\Roaming\fcproinstall\fcproinstall 1.0.0\install\decoder.dll

Filesize
202KB

MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB490.tmp

Filesize
378KB

MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\is-FATL9.tmp\fcproinstall.tmp

Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
\Users\Admin\AppData\Roaming\WindowsNetworkServices\WindowsNetwork.exe

Filesize
264KB

MD5
c46cf092ca90dec5d9794d58bc3d60af

SHA1
ee85693b181df0518ec1404831d0d0b05c97fdaf

SHA256
e708ccdb34685d4df6d7a8959f2dc98d28f1a5bbf89120ff595613a1df7ab2d7

SHA512
acbd3ab6958eb2b78cb0884ffba5bed24249421c1db1c2093e42f69a80bffdaaaedb785b726e742a1dfbc16499724ca3f56e6027dbbace840a5eb7f8f9d68af0

Download Submit
\Windows\Installer\MSICF63.tmp

Filesize
567KB

MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
memory/900-104-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1128-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1128-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1128-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1128-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1128-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1128-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1128-139-0x0000000005FF0000-0x0000000006247000-memory.dmp

Filesize
2.3MB

Download
memory/1128-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1128-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1128-140-0x0000000005FF0000-0x0000000006247000-memory.dmp

Filesize
2.3MB

Download
memory/1808-142-0x0000000000300000-0x0000000000557000-memory.dmp

Filesize
2.3MB

Download
memory/1808-319-0x0000000032E30000-0x000000003308F000-memory.dmp

Filesize
2.4MB

Download
memory/1808-788-0x0000000000300000-0x0000000000557000-memory.dmp

Filesize
2.3MB

Download
memory/2032-103-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2032-89-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2428-0-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2796-65-0x0000000000DA0000-0x0000000000DEC000-memory.dmp

Filesize
304KB

Download
memory/2796-64-0x0000000000BB0000-0x0000000000BDC000-memory.dmp

Filesize
176KB

Download
memory/2796-63-0x0000000000790000-0x00000000007BE000-memory.dmp

Filesize
184KB

Download
memory/2796-62-0x00000000005F0000-0x0000000000636000-memory.dmp

Filesize
280KB

Download
memory/2796-61-0x0000000001280000-0x00000000012F4000-memory.dmp

Filesize
464KB

Download