e1a5b2392f673f9d652727956690a6f135f5c2d129729a23729bda78f18e32d0

Analysis

max time kernel
103s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48fad24a6419341ce64b063be81e402a.exe
Size

484KB
MD5

48fad24a6419341ce64b063be81e402a
SHA1

aaab00c61a68acaea1f687d3291df88db3092754
SHA256

e1a5b2392f673f9d652727956690a6f135f5c2d129729a23729bda78f18e32d0
SHA512

680d13e3cb49bb3a5712f5f9dff27b9800bdff1287eac9219e5f97061cb99465ff0518c17d268ff31560e089e56525a56c43537d8c06b91738fb343a51e0cd40
SSDEEP

12288:SLdIQpe9G51q7UeRtFB/4zRbqQeg1GNGNrUr8Jyn:SB/sG6waFBARl1mjr8wn

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

Executes dropped EXE 3 IoCs

pid	Process
3520	bffd.exe
3472	bffd.exe
4368	bffd.exe

Loads dropped DLL 24 IoCs

pid	Process
992	regsvr32.exe
4368	bffd.exe
5040	rundll32.exe
1580	rundll32.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe
4368	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\144d.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	48fad24a6419341ce64b063be81e402a.exe
File created	C:\Windows\SysWOW64\0683	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	48fad24a6419341ce64b063be81e402a.exe
File created	C:\Windows\SysWOW64\2531-89-126	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\a8fd.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\f6fu.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\8f6d.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\14ba.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a8f.flv	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\f6f.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\6f1u.bmp	48fad24a6419341ce64b063be81e402a.exe
File created	C:\Windows\Tasks\ms.job	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\bf14.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a34b.flv	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\8f6.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\4bad.flv	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a8fd.flv	48fad24a6419341ce64b063be81e402a.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4368	bffd.exe
4368	bffd.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 1308	3196	48fad24a6419341ce64b063be81e402a.exe	88
PID 3196 wrote to memory of 1308	3196	48fad24a6419341ce64b063be81e402a.exe	88
PID 3196 wrote to memory of 1308	3196	48fad24a6419341ce64b063be81e402a.exe	88
PID 3196 wrote to memory of 636	3196	48fad24a6419341ce64b063be81e402a.exe	97
PID 3196 wrote to memory of 636	3196	48fad24a6419341ce64b063be81e402a.exe	97
PID 3196 wrote to memory of 636	3196	48fad24a6419341ce64b063be81e402a.exe	97
PID 3196 wrote to memory of 4728	3196	48fad24a6419341ce64b063be81e402a.exe	89
PID 3196 wrote to memory of 4728	3196	48fad24a6419341ce64b063be81e402a.exe	89
PID 3196 wrote to memory of 4728	3196	48fad24a6419341ce64b063be81e402a.exe	89
PID 3196 wrote to memory of 4444	3196	48fad24a6419341ce64b063be81e402a.exe	90
PID 3196 wrote to memory of 4444	3196	48fad24a6419341ce64b063be81e402a.exe	90
PID 3196 wrote to memory of 4444	3196	48fad24a6419341ce64b063be81e402a.exe	90
PID 3196 wrote to memory of 992	3196	48fad24a6419341ce64b063be81e402a.exe	95
PID 3196 wrote to memory of 992	3196	48fad24a6419341ce64b063be81e402a.exe	95
PID 3196 wrote to memory of 992	3196	48fad24a6419341ce64b063be81e402a.exe	95
PID 3196 wrote to memory of 3520	3196	48fad24a6419341ce64b063be81e402a.exe	94
PID 3196 wrote to memory of 3520	3196	48fad24a6419341ce64b063be81e402a.exe	94
PID 3196 wrote to memory of 3520	3196	48fad24a6419341ce64b063be81e402a.exe	94
PID 3196 wrote to memory of 3472	3196	48fad24a6419341ce64b063be81e402a.exe	100
PID 3196 wrote to memory of 3472	3196	48fad24a6419341ce64b063be81e402a.exe	100
PID 3196 wrote to memory of 3472	3196	48fad24a6419341ce64b063be81e402a.exe	100
PID 4368 wrote to memory of 5040	4368	bffd.exe	102
PID 4368 wrote to memory of 5040	4368	bffd.exe	102
PID 4368 wrote to memory of 5040	4368	bffd.exe	102
PID 3196 wrote to memory of 1580	3196	48fad24a6419341ce64b063be81e402a.exe	101
PID 3196 wrote to memory of 1580	3196	48fad24a6419341ce64b063be81e402a.exe	101
PID 3196 wrote to memory of 1580	3196	48fad24a6419341ce64b063be81e402a.exe	101

C:\Users\Admin\AppData\Local\Temp\48fad24a6419341ce64b063be81e402a.exe
"C:\Users\Admin\AppData\Local\Temp\48fad24a6419341ce64b063be81e402a.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
  2⤵
  PID:1308
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
  2⤵
  PID:4728
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
  2⤵
  PID:4444
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -i
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:992
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
  2⤵
  PID:636
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -s
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
  2⤵
  - Loads dropped DLL
  PID:1580

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
197KB

MD5
972e07cb9c033a7c4b37afc898462df3

SHA1
add9ae3dd4d41c0582c134e74b94330ae8f2e404

SHA256
889b23d737bd54449fb357c07dac2a99a066a5e1d88a9ef65e1fe460aa8e26ed

SHA512
c62e26bb29490e7b067418d67f7ed348fe975cc99591da32f4845529e75a98242022e0b6cca75260b6d57aef78ec37218f3a2bf5add1037f115839c3a0c0b9e8

Download Submit
C:\Windows\SysWOW64\841e.dll

Filesize
91KB

MD5
6a3234cdec0b557712918afefa6f2927

SHA1
9e2f10b52a3ad365deda0b9fd2306bcad80c32b4

SHA256
f3a2d33e88e1fe93409013bddcaececcc9286fa48c39580a537a9f96688811fa

SHA512
69fec103b94e063fceb978fcd2bf774f78637bb98a742b004d9f9ac98a1e24f081cb157fe12ac7b75900bed35e76f18de496d137bedec378e6cc606d19956459

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
126KB

MD5
253746d45bf831cfc6e2aed1ff2af08c

SHA1
48369bc1f8c8272e7dfb79435e0a17c64e56ca33

SHA256
f126432614f93e4491def0d5e51c4661c93def94200bc3b4cffb9b57033b7ce7

SHA512
2cabf487324326c948510bd5e723c1103edfd0bb75449316e04045c5c87e9d47c67b8593ebdc9571b2ccce5e035b8e9e93bb0ba09eba5cd0db15e1fd8267e09a

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
62KB

MD5
6f9e65820c6cee96f205ad28d1dbcf63

SHA1
c89ebb21142b1fe46327feffab26fe83946865e5

SHA256
47f44e55072263b80e4d904df7e4438f83ba4339b2e51ba70bb286b0e60f5e22

SHA512
d280cad42b22242df9c3fee46ef716812bb4ac14f1135d75ee05644f7ae0da1d4fa17a97ac24a962c7f776074ffa9b678c3a7c30ed25a5cdb64785be6b70f246

Download Submit
C:\Windows\SysWOW64\bffd.exe

Filesize
72KB

MD5
71d54ab0e44bb3f8643736fda6cd2e1a

SHA1
a53c5c25c3ab03ee2ab3db6f27cfb37b2357df04

SHA256
18a393f962d6f8b8d4665aaebe0409a7ba1b3267d1fe3572483618e0c5823fdc

SHA512
4f82114b5149ea5c604c13d24cd93dbe31c67b3baadbee5124ecf5f9828ece041629b318d62b9dbf48cfe33a9537aa8174a99013f94087f62039285b3b944e3a

Download Submit
memory/992-174-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/992-47-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/1580-79-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/1580-80-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/3472-63-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3472-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3472-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3520-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3520-59-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3520-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-118-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-132-0x00000000012D0000-0x00000000012D2000-memory.dmp

Filesize
8KB

Download
memory/4368-195-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-69-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/4368-85-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-86-0x0000000000700000-0x0000000000702000-memory.dmp

Filesize
8KB

Download
memory/4368-88-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4368-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-91-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-92-0x0000000000E70000-0x0000000000E72000-memory.dmp

Filesize
8KB

Download
memory/4368-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-68-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-95-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/4368-94-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-182-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-100-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

Filesize
8KB

Download
memory/4368-99-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-103-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

Filesize
8KB

Download
memory/4368-102-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-181-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-107-0x0000000000F60000-0x0000000000F62000-memory.dmp

Filesize
8KB

Download
memory/4368-109-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-110-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/4368-111-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-115-0x0000000000F80000-0x0000000000F82000-memory.dmp

Filesize
8KB

Download
memory/4368-114-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-117-0x0000000000F60000-0x0000000000F62000-memory.dmp

Filesize
8KB

Download
memory/4368-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-119-0x0000000000F90000-0x0000000000F92000-memory.dmp

Filesize
8KB

Download
memory/4368-120-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-124-0x00000000012B0000-0x00000000012B2000-memory.dmp

Filesize
8KB

Download
memory/4368-123-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-127-0x00000000012C0000-0x00000000012C2000-memory.dmp

Filesize
8KB

Download
memory/4368-126-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-128-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-179-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-131-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-135-0x00000000012E0000-0x00000000012E2000-memory.dmp

Filesize
8KB

Download
memory/4368-134-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-140-0x00000000012F0000-0x00000000012F2000-memory.dmp

Filesize
8KB

Download
memory/4368-139-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-143-0x0000000001300000-0x0000000001302000-memory.dmp

Filesize
8KB

Download
memory/4368-142-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-144-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-147-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-148-0x0000000001310000-0x0000000001312000-memory.dmp

Filesize
8KB

Download
memory/4368-150-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-151-0x0000000001320000-0x0000000001322000-memory.dmp

Filesize
8KB

Download
memory/4368-152-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-156-0x0000000001330000-0x0000000001332000-memory.dmp

Filesize
8KB

Download
memory/4368-155-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-159-0x0000000001340000-0x0000000001342000-memory.dmp

Filesize
8KB

Download
memory/4368-158-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-160-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-164-0x0000000001350000-0x0000000001352000-memory.dmp

Filesize
8KB

Download
memory/4368-163-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-167-0x0000000001360000-0x0000000001362000-memory.dmp

Filesize
8KB

Download
memory/4368-166-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-168-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-172-0x0000000001370000-0x0000000001372000-memory.dmp

Filesize
8KB

Download
memory/4368-171-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4368-175-0x0000000001380000-0x0000000001382000-memory.dmp

Filesize
8KB

Download
memory/4368-66-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4368-176-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4368-180-0x0000000001390000-0x0000000001392000-memory.dmp

Filesize
8KB

Download
memory/5040-78-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/5040-105-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/5040-97-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/5040-90-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/5040-81-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download