0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3

Analysis

max time kernel
151s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
29-05-2022 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
Size

636KB
MD5

05478eb3ea1d0dda692888db059e9512
SHA1

ca516d88d992f0ade8041caef7e2ee411c524347
SHA256

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3
SHA512

e73bf3929cd828699c80f08d8bb52a678fe821f653d904c50b7faa90a7273e8d3f990339bf8d3fe95fc1878938424a90895df89a270dd712e94fd69bbe14b914

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

bffd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts bffd.exe
Executes dropped EXE 4 IoCs

Processes:

q.exebffd.exebffd.exebffd.exe

pid process

2752 q.exe
1600 bffd.exe
4816 bffd.exe
4232 bffd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

pid	process
2752	q.exe
1600	bffd.exe
4816	bffd.exe
4232	bffd.exe

Loads dropped DLL 32 IoCs

Processes:

regsvr32.exebffd.exerundll32.exerundll32.exe

pid	process
3904	regsvr32.exe
4232	bffd.exe
1508	rundll32.exe
1460	rundll32.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe
4232	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exebffd.exerundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 19 IoCs

Processes:

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exerundll32.exeq.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\3bef.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File created	C:\Windows\SysWOW64\1e9389	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	q.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File created	C:\Windows\SysWOW64\-63-6863-65	rundll32.exe

Drops file in Windows directory 13 IoCs

Processes:

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe

description	ioc	process
File opened for modification	C:\Windows\a8fd.flv	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File created	C:\Windows\Tasks\ms.job	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\14ba.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\8f6.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\6f1u.bmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\a8fd.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\f6fu.bmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\8f6d.exe	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\bf14.bmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\a34b.flv	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\f6f.bmp	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\a8f.flv	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
File opened for modification	C:\Windows\4bad.flv	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 47 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\ = "{635634C3-9039-4B52-9090-7882FC04009C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\TypeLib\ = "{635634C3-9039-4B52-9090-7882FC04009C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{A9D0E35F-0176-4CFB-971B-A1CB317B1738}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}\TypeLib\ = "{635634C3-9039-4B52-9090-7882FC04009C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2586C29-EEC0-4A83-9D03-EBCF18EF5F0E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{A9D0E35F-0176-4CFB-971B-A1CB317B1738}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{635634C3-9039-4B52-9090-7882FC04009C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9D0E35F-0176-4CFB-971B-A1CB317B1738}\VersionIndependentProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bffd.exe

pid process

4232 bffd.exe
4232 bffd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

q.exe

pid process

2752 q.exe

pid	process
4232	bffd.exe
4232	bffd.exe

pid	process
2752	q.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exebffd.exe

description	pid	process	target process
PID 1964 wrote to memory of 2820	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 2820	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 2820	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 2368	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 2368	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 2368	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 4388	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 4388	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 4388	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 3068	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 3068	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 3068	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 2752	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	q.exe
PID 1964 wrote to memory of 2752	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	q.exe
PID 1964 wrote to memory of 2752	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	q.exe
PID 1964 wrote to memory of 3904	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 3904	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 3904	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	regsvr32.exe
PID 1964 wrote to memory of 1600	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 1964 wrote to memory of 1600	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 1964 wrote to memory of 1600	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 1964 wrote to memory of 4816	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 1964 wrote to memory of 4816	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 1964 wrote to memory of 4816	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	bffd.exe
PID 1964 wrote to memory of 1508	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	rundll32.exe
PID 1964 wrote to memory of 1508	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	rundll32.exe
PID 1964 wrote to memory of 1508	1964	0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe	rundll32.exe
PID 4232 wrote to memory of 1460	4232	bffd.exe	rundll32.exe
PID 4232 wrote to memory of 1460	4232	bffd.exe	rundll32.exe
PID 4232 wrote to memory of 1460	4232	bffd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe
"C:\Users\Admin\AppData\Local\Temp\0dcaf08f92b1d2c92a57444f8c6544f5285ccbc3741cd15667099c5515e1a0f3.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
2⤵
PID:2820

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
2⤵
PID:2368

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
2⤵
PID:4388

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
2⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:3904

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -i
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -s
2⤵
- Executes dropped EXE
PID:4816

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1508

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
2⤵
- Loads dropped DLL
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
Filesize
116KB

MD5
c966c3717336e21ab6d54cc77b4c48dd

SHA1
8c123e70bd99e71366b4f1277e7c2a181435ff3c

SHA256
236b37940254407c30ed064b0d8c9826fcc0017da5a37b5dbcc9cae127fc227b

SHA512
11d71be7a99b355045f3f30344a14e8d9fd56cb0e0f985c69b2020411a72da0c5d799a92aba1c8d240797d7439752aa04d991e96d9b7c063a066f8ef41082695

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\q.exe
Filesize
116KB

MD5
c966c3717336e21ab6d54cc77b4c48dd

SHA1
8c123e70bd99e71366b4f1277e7c2a181435ff3c

SHA256
236b37940254407c30ed064b0d8c9826fcc0017da5a37b5dbcc9cae127fc227b

SHA512
11d71be7a99b355045f3f30344a14e8d9fd56cb0e0f985c69b2020411a72da0c5d799a92aba1c8d240797d7439752aa04d991e96d9b7c063a066f8ef41082695

Download Submit
C:\Windows\SysWOW64\841e.dll
Filesize
624KB

MD5
d17b431b5987436e738f3f3601cef3e4

SHA1
64f8efb62b87e1158c30d77c835be256048bd815

SHA256
54345894558a8f0fe789af35d32bb7d2d8d9637a596c62818f897db88f2491eb

SHA512
3b4fd468810be9c24443e21d3befb89cc792cb71222ae12c847d926e884c344b23f059e3ec8953ab2d2ddc95dda391ab3782e2feede42af21fd67de9e2e29b11

Download Submit
C:\Windows\SysWOW64\841e.dll
Filesize
624KB

MD5
d17b431b5987436e738f3f3601cef3e4

SHA1
64f8efb62b87e1158c30d77c835be256048bd815

SHA256
54345894558a8f0fe789af35d32bb7d2d8d9637a596c62818f897db88f2491eb

SHA512
3b4fd468810be9c24443e21d3befb89cc792cb71222ae12c847d926e884c344b23f059e3ec8953ab2d2ddc95dda391ab3782e2feede42af21fd67de9e2e29b11

Download Submit
C:\Windows\SysWOW64\841e.dll
Filesize
624KB

MD5
d17b431b5987436e738f3f3601cef3e4

SHA1
64f8efb62b87e1158c30d77c835be256048bd815

SHA256
54345894558a8f0fe789af35d32bb7d2d8d9637a596c62818f897db88f2491eb

SHA512
3b4fd468810be9c24443e21d3befb89cc792cb71222ae12c847d926e884c344b23f059e3ec8953ab2d2ddc95dda391ab3782e2feede42af21fd67de9e2e29b11

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
232KB

MD5
439a129e3bd0f3df94e0f54da85b5fa2

SHA1
aa4019b917423e70208460f9e6b5e5862b6d3ba4

SHA256
36fdddb463bd8a266f8e70719f7b008aea16d54af3f5e334a011b84b2ec58354

SHA512
a1122d0cb35d1779a8005e47da39f935c71cb2e181f011807b8b43bfdd28d06a7d5561fc42e7002a5efa86f6ad6fc0787d124c2ee77f4ec44a6c3375195c3ef1

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
128KB

MD5
dbfe86c69e8bccfe88d9dca00f4c01ef

SHA1
5210442992897cba490ba0d67f1659d56891f900

SHA256
e3eb88db6079805831db4699db73cd3a509bda29285434743322e098d5e44b03

SHA512
4ccc9262348274f4bd9c139a12f893a544b78f4820149ca7e0b5a77258fc3e1aed144e9701ae7810eae80b7a5be810e5da09a481b1bfb6d65cf4c0e2fcc9563e

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
128KB

MD5
dbfe86c69e8bccfe88d9dca00f4c01ef

SHA1
5210442992897cba490ba0d67f1659d56891f900

SHA256
e3eb88db6079805831db4699db73cd3a509bda29285434743322e098d5e44b03

SHA512
4ccc9262348274f4bd9c139a12f893a544b78f4820149ca7e0b5a77258fc3e1aed144e9701ae7810eae80b7a5be810e5da09a481b1bfb6d65cf4c0e2fcc9563e

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
128KB

MD5
dbfe86c69e8bccfe88d9dca00f4c01ef

SHA1
5210442992897cba490ba0d67f1659d56891f900

SHA256
e3eb88db6079805831db4699db73cd3a509bda29285434743322e098d5e44b03

SHA512
4ccc9262348274f4bd9c139a12f893a544b78f4820149ca7e0b5a77258fc3e1aed144e9701ae7810eae80b7a5be810e5da09a481b1bfb6d65cf4c0e2fcc9563e

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
128KB

MD5
dbfe86c69e8bccfe88d9dca00f4c01ef

SHA1
5210442992897cba490ba0d67f1659d56891f900

SHA256
e3eb88db6079805831db4699db73cd3a509bda29285434743322e098d5e44b03

SHA512
4ccc9262348274f4bd9c139a12f893a544b78f4820149ca7e0b5a77258fc3e1aed144e9701ae7810eae80b7a5be810e5da09a481b1bfb6d65cf4c0e2fcc9563e

Download Submit
memory/1460-148-0x0000000000000000-mapping.dmp

Download
memory/1508-147-0x0000000000000000-mapping.dmp

Download
memory/1600-140-0x0000000000000000-mapping.dmp

Download
memory/2368-131-0x0000000000000000-mapping.dmp

Download
memory/2752-134-0x0000000000000000-mapping.dmp

Download
memory/2820-130-0x0000000000000000-mapping.dmp

Download
memory/3068-133-0x0000000000000000-mapping.dmp

Download
memory/3904-137-0x0000000000000000-mapping.dmp

Download
memory/4388-132-0x0000000000000000-mapping.dmp

Download
memory/4816-143-0x0000000000000000-mapping.dmp

Download