0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3

Analysis

max time kernel
146s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
29-05-2022 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
Size

636KB
MD5

05478eb3ea1d0dda692888db059e9512
SHA1

ca516d88d992f0ade8041caef7e2ee411c524347
SHA256

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3
SHA512

e73bf3929cd828699c80f08d8bb52a678fe821f653d904c50b7faa90a7273e8d3f990339bf8d3fe95fc1878938424a90895df89a270dd712e94fd69bbe14b914

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

bffd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts bffd.exe
Executes dropped EXE 4 IoCs

Processes:

q.exebffd.exebffd.exebffd.exe

pid process

1632 q.exe
904 bffd.exe
1460 bffd.exe
1036 bffd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

pid	process
1632	q.exe
904	bffd.exe
1460	bffd.exe
1036	bffd.exe

Loads dropped DLL 44 IoCs

Processes:

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exeq.exeregsvr32.exebffd.exebffd.exebffd.exerundll32.exerundll32.exe

pid	process
872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
1632	q.exe
1632	q.exe
1632	q.exe
1684	regsvr32.exe
872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
904	bffd.exe
904	bffd.exe
904	bffd.exe
872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
1460	bffd.exe
1460	bffd.exe
1460	bffd.exe
1036	bffd.exe
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
1188	rundll32.exe
1188	rundll32.exe
1188	rundll32.exe
1188	rundll32.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe
1036	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exebffd.exerundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 19 IoCs

Processes:

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exeq.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\3bef.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	q.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File created	C:\Windows\SysWOW64\759-12-114	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File created	C:\Windows\SysWOW64\2b7	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe

Drops file in Windows directory 13 IoCs

Processes:

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe

description	ioc	process
File opened for modification	C:\Windows\bf14.bmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\a34b.flv	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\f6f.bmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\8f6.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\4bad.flv	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\f6fu.bmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\8f6d.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\a8fd.flv	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File created	C:\Windows\Tasks\ms.job	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\14ba.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\a8f.flv	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\6f1u.bmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\a8fd.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 47 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{A9D0E35F-0176-4CFB-971B-A1CB317B1738}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\ = "{635634C3-9039-4B52-9090-7882FC04009C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\ = "{635634C3-9039-4B52-9090-7882FC04009C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{A9D0E35F-0176-4CFB-971B-A1CB317B1738}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\TypeLib\ = "{635634C3-9039-4B52-9090-7882FC04009C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bffd.exe

pid process

1036 bffd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

q.exe

pid process

1632 q.exe

pid	process
1036	bffd.exe

pid	process
1632	q.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exebffd.exe

description	pid	process	target process
PID 872 wrote to memory of 1108	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1108	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 700	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 700	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 700	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 700	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 700	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 700	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 700	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1600	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1600	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1600	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1600	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1600	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1600	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1600	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1524	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1524	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1524	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1524	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1524	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1524	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1524	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1632	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	q.exe
PID 872 wrote to memory of 1632	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	q.exe
PID 872 wrote to memory of 1632	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	q.exe
PID 872 wrote to memory of 1632	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	q.exe
PID 872 wrote to memory of 1632	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	q.exe
PID 872 wrote to memory of 1632	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	q.exe
PID 872 wrote to memory of 1632	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	q.exe
PID 872 wrote to memory of 1684	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1684	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1684	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1684	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1684	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1684	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 1684	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 872 wrote to memory of 904	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 904	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 904	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 904	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 904	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 904	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 904	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 1460	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 1460	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 1460	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 1460	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 1460	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 1460	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 1460	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 872 wrote to memory of 1188	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	rundll32.exe
PID 872 wrote to memory of 1188	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	rundll32.exe
PID 872 wrote to memory of 1188	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	rundll32.exe
PID 872 wrote to memory of 1188	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	rundll32.exe
PID 872 wrote to memory of 1188	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	rundll32.exe
PID 872 wrote to memory of 1188	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	rundll32.exe
PID 872 wrote to memory of 1188	872	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	rundll32.exe
PID 1036 wrote to memory of 1512	1036	bffd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
"C:\Users\Admin\AppData\Local\Temp\0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
2⤵
PID:1108

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
2⤵
PID:700

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
2⤵
PID:1524

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
2⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:1684

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -i
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -s
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1188

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
2⤵
- Loads dropped DLL
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
Filesize
120KB

MD5
7a26e1a43de98b82c810b79bd8d7704f

SHA1
13d7f00213af57785f00ba536fc25278e3ce62c5

SHA256
0f76ada847f72876015b7440d50b04483283abdc7137970e23b2752e6503b70c

SHA512
5c136c552fcb48980919cefc41a7d352e04bb1123708185856ca6d40c1ff461f1037187e62564178699032606a86689877f9d5731d052e670fd720c9ea123546

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
Filesize
120KB

MD5
7a26e1a43de98b82c810b79bd8d7704f

SHA1
13d7f00213af57785f00ba536fc25278e3ce62c5

SHA256
0f76ada847f72876015b7440d50b04483283abdc7137970e23b2752e6503b70c

SHA512
5c136c552fcb48980919cefc41a7d352e04bb1123708185856ca6d40c1ff461f1037187e62564178699032606a86689877f9d5731d052e670fd720c9ea123546

Download Submit
C:\Windows\SysWOW64\841e.dll
Filesize
616KB

MD5
70d81068e5e2f9fead0cdc11867ba366

SHA1
ff7cea9fb71ed12e6e85e36e19dcb6ed794f10f0

SHA256
e8c0f6634ed1b681e1b1a4d49f74a5358cac69a51907c9faf2506062678458bd

SHA512
64fb4cc371c7700b6c73ae390896285f286d10c2ab4b2b364a5ad5040407d1a9c330993e5a908341841bc8b8410272b2f81a29e1a8f82be1e3c6ec3d6d3b32d2

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
Filesize
120KB

MD5
7a26e1a43de98b82c810b79bd8d7704f

SHA1
13d7f00213af57785f00ba536fc25278e3ce62c5

SHA256
0f76ada847f72876015b7440d50b04483283abdc7137970e23b2752e6503b70c

SHA512
5c136c552fcb48980919cefc41a7d352e04bb1123708185856ca6d40c1ff461f1037187e62564178699032606a86689877f9d5731d052e670fd720c9ea123546

Download Submit
\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
Filesize
120KB

MD5
7a26e1a43de98b82c810b79bd8d7704f

SHA1
13d7f00213af57785f00ba536fc25278e3ce62c5

SHA256
0f76ada847f72876015b7440d50b04483283abdc7137970e23b2752e6503b70c

SHA512
5c136c552fcb48980919cefc41a7d352e04bb1123708185856ca6d40c1ff461f1037187e62564178699032606a86689877f9d5731d052e670fd720c9ea123546

Download Submit
\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
Filesize
120KB

MD5
7a26e1a43de98b82c810b79bd8d7704f

SHA1
13d7f00213af57785f00ba536fc25278e3ce62c5

SHA256
0f76ada847f72876015b7440d50b04483283abdc7137970e23b2752e6503b70c

SHA512
5c136c552fcb48980919cefc41a7d352e04bb1123708185856ca6d40c1ff461f1037187e62564178699032606a86689877f9d5731d052e670fd720c9ea123546

Download Submit
\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
Filesize
120KB

MD5
7a26e1a43de98b82c810b79bd8d7704f

SHA1
13d7f00213af57785f00ba536fc25278e3ce62c5

SHA256
0f76ada847f72876015b7440d50b04483283abdc7137970e23b2752e6503b70c

SHA512
5c136c552fcb48980919cefc41a7d352e04bb1123708185856ca6d40c1ff461f1037187e62564178699032606a86689877f9d5731d052e670fd720c9ea123546

Download Submit
\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
Filesize
120KB

MD5
7a26e1a43de98b82c810b79bd8d7704f

SHA1
13d7f00213af57785f00ba536fc25278e3ce62c5

SHA256
0f76ada847f72876015b7440d50b04483283abdc7137970e23b2752e6503b70c

SHA512
5c136c552fcb48980919cefc41a7d352e04bb1123708185856ca6d40c1ff461f1037187e62564178699032606a86689877f9d5731d052e670fd720c9ea123546

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
616KB

MD5
70d81068e5e2f9fead0cdc11867ba366

SHA1
ff7cea9fb71ed12e6e85e36e19dcb6ed794f10f0

SHA256
e8c0f6634ed1b681e1b1a4d49f74a5358cac69a51907c9faf2506062678458bd

SHA512
64fb4cc371c7700b6c73ae390896285f286d10c2ab4b2b364a5ad5040407d1a9c330993e5a908341841bc8b8410272b2f81a29e1a8f82be1e3c6ec3d6d3b32d2

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
616KB

MD5
70d81068e5e2f9fead0cdc11867ba366

SHA1
ff7cea9fb71ed12e6e85e36e19dcb6ed794f10f0

SHA256
e8c0f6634ed1b681e1b1a4d49f74a5358cac69a51907c9faf2506062678458bd

SHA512
64fb4cc371c7700b6c73ae390896285f286d10c2ab4b2b364a5ad5040407d1a9c330993e5a908341841bc8b8410272b2f81a29e1a8f82be1e3c6ec3d6d3b32d2

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
616KB

MD5
70d81068e5e2f9fead0cdc11867ba366

SHA1
ff7cea9fb71ed12e6e85e36e19dcb6ed794f10f0

SHA256
e8c0f6634ed1b681e1b1a4d49f74a5358cac69a51907c9faf2506062678458bd

SHA512
64fb4cc371c7700b6c73ae390896285f286d10c2ab4b2b364a5ad5040407d1a9c330993e5a908341841bc8b8410272b2f81a29e1a8f82be1e3c6ec3d6d3b32d2

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
616KB

MD5
70d81068e5e2f9fead0cdc11867ba366

SHA1
ff7cea9fb71ed12e6e85e36e19dcb6ed794f10f0

SHA256
e8c0f6634ed1b681e1b1a4d49f74a5358cac69a51907c9faf2506062678458bd

SHA512
64fb4cc371c7700b6c73ae390896285f286d10c2ab4b2b364a5ad5040407d1a9c330993e5a908341841bc8b8410272b2f81a29e1a8f82be1e3c6ec3d6d3b32d2

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
616KB

MD5
70d81068e5e2f9fead0cdc11867ba366

SHA1
ff7cea9fb71ed12e6e85e36e19dcb6ed794f10f0

SHA256
e8c0f6634ed1b681e1b1a4d49f74a5358cac69a51907c9faf2506062678458bd

SHA512
64fb4cc371c7700b6c73ae390896285f286d10c2ab4b2b364a5ad5040407d1a9c330993e5a908341841bc8b8410272b2f81a29e1a8f82be1e3c6ec3d6d3b32d2

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
616KB

MD5
70d81068e5e2f9fead0cdc11867ba366

SHA1
ff7cea9fb71ed12e6e85e36e19dcb6ed794f10f0

SHA256
e8c0f6634ed1b681e1b1a4d49f74a5358cac69a51907c9faf2506062678458bd

SHA512
64fb4cc371c7700b6c73ae390896285f286d10c2ab4b2b364a5ad5040407d1a9c330993e5a908341841bc8b8410272b2f81a29e1a8f82be1e3c6ec3d6d3b32d2

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
616KB

MD5
70d81068e5e2f9fead0cdc11867ba366

SHA1
ff7cea9fb71ed12e6e85e36e19dcb6ed794f10f0

SHA256
e8c0f6634ed1b681e1b1a4d49f74a5358cac69a51907c9faf2506062678458bd

SHA512
64fb4cc371c7700b6c73ae390896285f286d10c2ab4b2b364a5ad5040407d1a9c330993e5a908341841bc8b8410272b2f81a29e1a8f82be1e3c6ec3d6d3b32d2

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
616KB

MD5
70d81068e5e2f9fead0cdc11867ba366

SHA1
ff7cea9fb71ed12e6e85e36e19dcb6ed794f10f0

SHA256
e8c0f6634ed1b681e1b1a4d49f74a5358cac69a51907c9faf2506062678458bd

SHA512
64fb4cc371c7700b6c73ae390896285f286d10c2ab4b2b364a5ad5040407d1a9c330993e5a908341841bc8b8410272b2f81a29e1a8f82be1e3c6ec3d6d3b32d2

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
148KB

MD5
057ac770c8b928677df9e2805af3469d

SHA1
dd508a83159d763967a9ad3b3f7977974adddfa1

SHA256
1b23586b78888e5cd861f6526d9a455deeceba61dfab3994459f3d338a685508

SHA512
bb12931e83b799776da80574b02ca7dc7035d58795159501d483edb3c550952af5334e483c9ad844849cced4b6591d320af9428a5d96b6abc83777a4b14097cd

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
224KB

MD5
c75da17a69effa5787976abc15239497

SHA1
e14af6ae3e55607075e64f25606b05ff19a76533

SHA256
d029ad6f33bd5b08ab83ef60673af272eb0863bd14a021cf9cc58cb90f8a3192

SHA512
03c1059607e41c4f3f23062a2f137b3dd377849d5bfa990b24f4e73e79867fe1b479ac43005747ca60d1bdf585718294d893521de15cef774267b1072b39dac2

Download Submit
memory/700-57-0x0000000000000000-mapping.dmp

Download
memory/872-54-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/904-78-0x0000000000000000-mapping.dmp

Download
memory/1108-55-0x0000000000000000-mapping.dmp

Download
memory/1188-99-0x0000000000000000-mapping.dmp

Download
memory/1460-87-0x0000000000000000-mapping.dmp

Download
memory/1512-104-0x0000000000000000-mapping.dmp

Download
memory/1524-61-0x0000000000000000-mapping.dmp

Download
memory/1600-59-0x0000000000000000-mapping.dmp

Download
memory/1632-65-0x0000000000000000-mapping.dmp

Download
memory/1684-72-0x0000000000000000-mapping.dmp

Download