a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a

Analysis

max time kernel
151s
max time network
85s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
Size

492KB
MD5

3e03a6828eeeefd4c3ffb3f8cc863663
SHA1

9e6972a5c89121072a6f384ede65e25f454db48d
SHA256

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a
SHA512

7161251697ea97f0a09010f7b101d2e7ad342db7d934c9aa673714b9c96bdf5344d41ed6bcf93b909d5d209b49a987b12533670f80ea45930d141289d3d34d5a
SSDEEP

12288:PfpgK3nBk1ZxWyPvj36tXm4zBjcyz9V7Sl2aLL6s6OO:P2K3Bk9WyDqXzBjcyV7oKOO

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

bffd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts bffd.exe
Executes dropped EXE 3 IoCs

Processes:

bffd.exebffd.exebffd.exe

pid process

976 bffd.exe
1740 bffd.exe
1360 bffd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

pid	process
976	bffd.exe
1740	bffd.exe
1360	bffd.exe

Loads dropped DLL 41 IoCs

Processes:

regsvr32.exea40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exebffd.exebffd.exebffd.exerundll32.exerundll32.exe

pid	process
1948	regsvr32.exe
1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
976	bffd.exe
976	bffd.exe
976	bffd.exe
1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
1740	bffd.exe
1740	bffd.exe
1740	bffd.exe
1360	bffd.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1804	rundll32.exe
1732	rundll32.exe
1732	rundll32.exe
1732	rundll32.exe
1732	rundll32.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe
1360	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "Microsoft User"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

rundll32.exea40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exebffd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe

Drops file in System32 directory 18 IoCs

Processes:

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\14rb.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File created	C:\Windows\SysWOW64\57-8160-106	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File created	C:\Windows\SysWOW64\172	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe

Drops file in Windows directory 13 IoCs

Processes:

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe

description	ioc	process
File opened for modification	C:\Windows\a34b.flv	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\f6f.bmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\a8f.flv	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\4bad.flv	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\a8fd.flv	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\f6fu.bmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\8f6d.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File created	C:\Windows\Tasks\ms.job	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\bf14.bmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\14ba.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\8f6.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\6f1u.bmp	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
File opened for modification	C:\Windows\a8fd.exe	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe

Modifies registry class 47 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ = "IFunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{797AD939-E96C-43E1-ACBD-778DFFD8748C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CC0BADE-4049-4B84-B998-D1AD4D7B9C44}\TypeLib\ = "{797AD939-E96C-43E1-ACBD-778DFFD8748C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED493CC4-E87B-4D8C-AC59-2A87A14237A0}\ProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bffd.exe

pid process

1360 bffd.exe

pid	process
1360	bffd.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exebffd.exe

description	pid	process	target process
PID 1448 wrote to memory of 1992	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1992	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1992	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1992	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1992	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1992	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1992	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 2012	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 2012	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 2012	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 2012	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 2012	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 2012	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 2012	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1896	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1896	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1896	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1896	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1896	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1896	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1896	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1988	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1988	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1988	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1988	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1988	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1988	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1988	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1948	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1948	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1948	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1948	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1948	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1948	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 1948	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	regsvr32.exe
PID 1448 wrote to memory of 976	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 976	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 976	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 976	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 976	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 976	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 976	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 1740	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 1740	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 1740	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 1740	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 1740	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 1740	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 1740	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	bffd.exe
PID 1448 wrote to memory of 1804	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	rundll32.exe
PID 1448 wrote to memory of 1804	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	rundll32.exe
PID 1448 wrote to memory of 1804	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	rundll32.exe
PID 1448 wrote to memory of 1804	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	rundll32.exe
PID 1448 wrote to memory of 1804	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	rundll32.exe
PID 1448 wrote to memory of 1804	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	rundll32.exe
PID 1448 wrote to memory of 1804	1448	a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe	rundll32.exe
PID 1360 wrote to memory of 1732	1360	bffd.exe	rundll32.exe
PID 1360 wrote to memory of 1732	1360	bffd.exe	rundll32.exe
PID 1360 wrote to memory of 1732	1360	bffd.exe	rundll32.exe
PID 1360 wrote to memory of 1732	1360	bffd.exe	rundll32.exe
PID 1360 wrote to memory of 1732	1360	bffd.exe	rundll32.exe
PID 1360 wrote to memory of 1732	1360	bffd.exe	rundll32.exe
PID 1360 wrote to memory of 1732	1360	bffd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe
"C:\Users\Admin\AppData\Local\Temp\a40fbcb650ae7c437727877e9720d95d38274477aa7f655118513b9f6fef136a.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
2⤵
PID:1992

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
2⤵
PID:2012

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
2⤵
PID:1896

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
2⤵
PID:1988

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1948

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -i
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976

C:\Windows\SysWOW64\bffd.exe
C:\Windows\system32\bffd.exe -s
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1804

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
2⤵
- Loads dropped DLL
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\841e.dll
Filesize
207KB

MD5
62c128ff9cf855b6002a443ad4880821

SHA1
6a38cb6732f3a6b10ce36fcee3036796e82f9db1

SHA256
387519b675ed3af405316b070e36e547e83081d7071ff62ce4e2a6d8332b8416

SHA512
7652baa66f86f25acf5cc9ce1a28c2422ce94e85c87bc80bf84384269f6cf02afc22ed098b7c86650241f7f50aec0b00a2f65859098502fea1bd7cb26d329c5b

Download Submit
C:\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
C:\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
207KB

MD5
62c128ff9cf855b6002a443ad4880821

SHA1
6a38cb6732f3a6b10ce36fcee3036796e82f9db1

SHA256
387519b675ed3af405316b070e36e547e83081d7071ff62ce4e2a6d8332b8416

SHA512
7652baa66f86f25acf5cc9ce1a28c2422ce94e85c87bc80bf84384269f6cf02afc22ed098b7c86650241f7f50aec0b00a2f65859098502fea1bd7cb26d329c5b

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
207KB

MD5
62c128ff9cf855b6002a443ad4880821

SHA1
6a38cb6732f3a6b10ce36fcee3036796e82f9db1

SHA256
387519b675ed3af405316b070e36e547e83081d7071ff62ce4e2a6d8332b8416

SHA512
7652baa66f86f25acf5cc9ce1a28c2422ce94e85c87bc80bf84384269f6cf02afc22ed098b7c86650241f7f50aec0b00a2f65859098502fea1bd7cb26d329c5b

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
207KB

MD5
62c128ff9cf855b6002a443ad4880821

SHA1
6a38cb6732f3a6b10ce36fcee3036796e82f9db1

SHA256
387519b675ed3af405316b070e36e547e83081d7071ff62ce4e2a6d8332b8416

SHA512
7652baa66f86f25acf5cc9ce1a28c2422ce94e85c87bc80bf84384269f6cf02afc22ed098b7c86650241f7f50aec0b00a2f65859098502fea1bd7cb26d329c5b

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
207KB

MD5
62c128ff9cf855b6002a443ad4880821

SHA1
6a38cb6732f3a6b10ce36fcee3036796e82f9db1

SHA256
387519b675ed3af405316b070e36e547e83081d7071ff62ce4e2a6d8332b8416

SHA512
7652baa66f86f25acf5cc9ce1a28c2422ce94e85c87bc80bf84384269f6cf02afc22ed098b7c86650241f7f50aec0b00a2f65859098502fea1bd7cb26d329c5b

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
207KB

MD5
62c128ff9cf855b6002a443ad4880821

SHA1
6a38cb6732f3a6b10ce36fcee3036796e82f9db1

SHA256
387519b675ed3af405316b070e36e547e83081d7071ff62ce4e2a6d8332b8416

SHA512
7652baa66f86f25acf5cc9ce1a28c2422ce94e85c87bc80bf84384269f6cf02afc22ed098b7c86650241f7f50aec0b00a2f65859098502fea1bd7cb26d329c5b

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
207KB

MD5
62c128ff9cf855b6002a443ad4880821

SHA1
6a38cb6732f3a6b10ce36fcee3036796e82f9db1

SHA256
387519b675ed3af405316b070e36e547e83081d7071ff62ce4e2a6d8332b8416

SHA512
7652baa66f86f25acf5cc9ce1a28c2422ce94e85c87bc80bf84384269f6cf02afc22ed098b7c86650241f7f50aec0b00a2f65859098502fea1bd7cb26d329c5b

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
207KB

MD5
62c128ff9cf855b6002a443ad4880821

SHA1
6a38cb6732f3a6b10ce36fcee3036796e82f9db1

SHA256
387519b675ed3af405316b070e36e547e83081d7071ff62ce4e2a6d8332b8416

SHA512
7652baa66f86f25acf5cc9ce1a28c2422ce94e85c87bc80bf84384269f6cf02afc22ed098b7c86650241f7f50aec0b00a2f65859098502fea1bd7cb26d329c5b

Download Submit
\Windows\SysWOW64\841e.dll
Filesize
207KB

MD5
62c128ff9cf855b6002a443ad4880821

SHA1
6a38cb6732f3a6b10ce36fcee3036796e82f9db1

SHA256
387519b675ed3af405316b070e36e547e83081d7071ff62ce4e2a6d8332b8416

SHA512
7652baa66f86f25acf5cc9ce1a28c2422ce94e85c87bc80bf84384269f6cf02afc22ed098b7c86650241f7f50aec0b00a2f65859098502fea1bd7cb26d329c5b

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\8b4o.dll
Filesize
117KB

MD5
65e1ae74bd3914046589ad7371fb83a0

SHA1
fa9cc58fbdf22f95aff775a01b47448c079162db

SHA256
79c998e8a75688024df1fecb2fd9d61591ee6ea3819959d04e50dd232e5e5366

SHA512
094ff0a65150ce07a6ad06ada288f31fea0e4b15b6ce706b70f90a2fbec42771aecf20ce3d7197c2eac092621447fddcaf0db02e97665d8623ae018e270687f0

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
\Windows\SysWOW64\bffd.exe
Filesize
119KB

MD5
e08f5f729e96b8ad15345047574f1ea7

SHA1
ffc20d62632d9eb4e566eb4cb857589735f8a44e

SHA256
e5a7db6cce1ad7e9e2c0096c00049616b6c65a0fdc47bc271b1a5d80eb24a325

SHA512
84c87954d454d2662c1623e605f8bd6fc7d0e3018e83e7e6ca87ed3e9ee4887ce1749dbfe74972c7490577078fb6dacaefb28de2c45dd40cd23a98439ec9134e

Download Submit
memory/976-78-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/976-71-0x0000000000000000-mapping.dmp

Download
memory/1360-91-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1360-243-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1360-124-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1360-137-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1360-241-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1360-117-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1360-150-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1360-250-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download
memory/1448-103-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/1448-64-0x0000000000240000-0x00000000002B4000-memory.dmp

Filesize
464KB

Download
memory/1448-101-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1448-88-0x0000000000330000-0x000000000034D000-memory.dmp

Filesize
116KB

Download
memory/1448-87-0x0000000000330000-0x000000000034D000-memory.dmp

Filesize
116KB

Download
memory/1448-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1448-63-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1732-105-0x0000000000000000-mapping.dmp

Download
memory/1740-89-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1740-81-0x0000000000000000-mapping.dmp

Download
memory/1740-93-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1804-116-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/1804-242-0x0000000010000000-0x00000000100B3000-memory.dmp

Filesize
716KB

Download
memory/1804-99-0x0000000000000000-mapping.dmp

Download
memory/1896-59-0x0000000000000000-mapping.dmp

Download
memory/1948-65-0x0000000000000000-mapping.dmp

Download
memory/1988-61-0x0000000000000000-mapping.dmp

Download
memory/1992-55-0x0000000000000000-mapping.dmp

Download
memory/2012-57-0x0000000000000000-mapping.dmp

Download