Malware Analysis Report

2025-01-18 21:12

Sample ID 240325-kc87haeb91
Target dd901d376b265f0ee7498d5a879c3492
SHA256 1914fea8b0c61485dd80187bd6eebda7cf2d2587e37febcd7ceceab7f7f93b1f
Tags
adware bootkit persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1914fea8b0c61485dd80187bd6eebda7cf2d2587e37febcd7ceceab7f7f93b1f

Threat Level: Likely malicious

The file dd901d376b265f0ee7498d5a879c3492 was found to be: Likely malicious.

Malicious Activity Summary

adware bootkit persistence stealer

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 08:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 08:28

Reported

2024-03-25 08:31

Platform

win10v2004-20240319-en

Max time kernel

148s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd901d376b265f0ee7498d5a879c3492.dll,#1

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\b15d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\b15d.exe N/A
N/A N/A C:\Windows\SysWOW64\b15d.exe N/A
N/A N/A C:\Windows\SysWOW64\b15d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2EEF308-7B8A-4274-804F-D4433968632D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2EEF308-7B8A-4274-804F-D4433968632D}\ C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\b15d.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\b1u4.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\d0br.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b15e.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\2bdo.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\2bdo.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\45l6.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\52a1.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\d0br.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\s.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A
File created C:\Windows\SysWOW64\5b47 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\45l6.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\21c2.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\21c2.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\5ddd.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b15d.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b2e1.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\5dr2.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\2b0s.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\ÌÆ6-2-68-47 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\205d.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\1e4.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\246d.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\61e.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\461.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\246d.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Tasks\ms.job C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\4b12.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\e46u.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\d24d.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\246u.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\5d24.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\461d.exe C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID\ = "{B2EEF308-7B8A-4274-804F-D4433968632D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib\ = "{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\ = "CTttPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\ = "CTttPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ = "ITttPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\ProgID\ = "BHO.TttPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\InprocServer32\ = "C:\\Windows\\SysWow64\\2bdo.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ = "ITttPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID\ = "{B2EEF308-7B8A-4274-804F-D4433968632D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer\ = "BHO.TttPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\2bdo.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\ = "CTttPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\VersionIndependentProgID\ = "BHO.TttPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib\ = "{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\TypeLib\ = "{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\b15d.exe N/A
N/A N/A C:\Windows\SysWOW64\b15d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1772 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1772 wrote to memory of 2092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 3608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 3608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 3608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 1540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 1540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 1540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 2680 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 3440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 3440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 3440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 4184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 4184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 4184 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2092 wrote to memory of 64 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\b15d.exe
PID 2092 wrote to memory of 64 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\b15d.exe
PID 2092 wrote to memory of 64 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\b15d.exe
PID 2092 wrote to memory of 3036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\b15d.exe
PID 2092 wrote to memory of 3036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\b15d.exe
PID 2092 wrote to memory of 3036 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\b15d.exe
PID 2092 wrote to memory of 4336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2092 wrote to memory of 4336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2092 wrote to memory of 4336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2948 wrote to memory of 2612 N/A C:\Windows\SysWOW64\b15d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 2612 N/A C:\Windows\SysWOW64\b15d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 2612 N/A C:\Windows\SysWOW64\b15d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 5072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 5072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2092 wrote to memory of 5072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd901d376b265f0ee7498d5a879c3492.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd901d376b265f0ee7498d5a879c3492.dll,#1

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/45l6.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/21c2.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/d0br.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/2bdo.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/2bdo.dll"

C:\Windows\SysWOW64\b15d.exe

C:\Windows\system32/b15d.exe -i

C:\Windows\SysWOW64\b15d.exe

C:\Windows\system32/b15d.exe -s

C:\Windows\SysWOW64\b15d.exe

C:\Windows\SysWOW64\b15d.exe

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/b15e.dll,Always

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/b15e.dll, Always

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=3536,i,10914981530159316853,12381340356750224673,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com.cn udp

Files

memory/2092-0-0x0000000010000000-0x000000001006D000-memory.dmp

memory/2092-1-0x00000000005A0000-0x00000000005A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 939de3c07f9649aa23adf0bba0957083
SHA1 de3ce59b55ce199dcc5331acc50abe8d2a21eaad
SHA256 8ec61ab66b572da91968541614d7ed530a2df5467c36ea1376ed831d550f6f8a
SHA512 ea9cdd6e0c5cb5d74d692073256ab0325a4e95d1fb6f4d685a570b2813504b1599b5fd774f70b276b819bcd187c0ed1e894bb7c7021d1b54d0c077fe0bd81a1f

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 9c9ae9774dc6ef9ff26e877d33ffdee8
SHA1 f84913892573f2afcf6a62c69c3cbe5cd3c43176
SHA256 91333415d85ba7271e1c4045937bec01ff3b465ec6a6f394e5bb32b181bdb7f6
SHA512 2a40c37155bf4ebbec09bb54bd1e092a9320bcad00c4e1ec2bcde43ac121c925da575d51661ec72f32423fafe39fcdd010054530e63a84ec47fbd8e8faa64d0f

memory/4184-58-0x0000000010000000-0x0000000010020000-memory.dmp

memory/4184-59-0x0000000000A80000-0x0000000000A82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

MD5 5bd522bf50c1ef3a3d9c88ec34ff8d43
SHA1 0b431f01d318796c3751e2d9bbb0f0b95f494edc
SHA256 19f65a22b46f60099a3a54dc646efc1633e84784b44353732b186aa7aeeb0a32
SHA512 68e55b3e68adb466716b73df94c4f877be5cc98431b2c315dc810e0878f22af5806f32be6a4e52611dbc9923a7292227784d13c06dfc99f2488fcaca23d87800

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

MD5 84c2f789ccc2810e94c41c575c131c49
SHA1 03806917c4b8479f0c15bbc19b153430bb9ace69
SHA256 7194c41ee1300aa345e1ce22eede1efd630a3ef46159feb162ae863e7cfbc7ac
SHA512 485becc17db16b825064f64625eed7561c5f56beeefe179a497e565e76bb03a20806d53d3b2801453d2fa62adb7c6ed7c65988030cf5b7630a0e822bf95b2fa2

memory/2948-74-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-77-0x00000000005C0000-0x00000000005C2000-memory.dmp

C:\Windows\Temp\tmp.exe

MD5 fd32c11afc7dfa66650e5372cf6940b2
SHA1 1c22abde509b72e28c48f00f4b4af74aa43b1fd4
SHA256 eb86b7141be03860c7fa687c4105f806241330e6e44b27f1188f1e2223f636a3
SHA512 84e7ca12dd857bc7c1fb6cca892409b1fbefeeae78f9eda003fbfc38e8d13b136532f6aabcf1034dfa26e8060ff021427d639c7a4b611f57ce9382b73f89e881

memory/2612-95-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/2612-97-0x00000000005A0000-0x00000000005A2000-memory.dmp

memory/5072-109-0x0000000000D70000-0x0000000000D72000-memory.dmp

memory/5072-108-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/2948-111-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-112-0x0000000000E70000-0x0000000000E72000-memory.dmp

memory/2612-114-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/2948-115-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-116-0x0000000000E80000-0x0000000000E82000-memory.dmp

memory/2612-117-0x00000000005A0000-0x00000000005A2000-memory.dmp

memory/5072-119-0x0000000000D70000-0x0000000000D72000-memory.dmp

memory/2948-120-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-121-0x0000000000E90000-0x0000000000E92000-memory.dmp

memory/2612-122-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/2948-124-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

memory/2948-126-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-127-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

memory/2612-128-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/2948-130-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

memory/2948-132-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

memory/2948-133-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-134-0x0000000001060000-0x0000000001062000-memory.dmp

memory/2948-137-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-138-0x0000000001070000-0x0000000001072000-memory.dmp

memory/2948-139-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

memory/2948-141-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-142-0x0000000001080000-0x0000000001082000-memory.dmp

memory/2948-145-0x0000000001090000-0x0000000001092000-memory.dmp

memory/2948-147-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-148-0x00000000010A0000-0x00000000010A2000-memory.dmp

memory/2948-151-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-152-0x00000000010B0000-0x00000000010B2000-memory.dmp

memory/2948-154-0x00000000012D0000-0x00000000012D2000-memory.dmp

memory/2948-157-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-158-0x00000000012E0000-0x00000000012E2000-memory.dmp

memory/2948-161-0x00000000012F0000-0x00000000012F2000-memory.dmp

memory/2948-160-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-166-0x00000000012D0000-0x00000000012D2000-memory.dmp

memory/2948-165-0x0000000001300000-0x0000000001302000-memory.dmp

memory/2948-164-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-168-0x0000000001310000-0x0000000001312000-memory.dmp

memory/2948-172-0x0000000001320000-0x0000000001322000-memory.dmp

memory/2948-171-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-174-0x0000000001330000-0x0000000001332000-memory.dmp

memory/2948-177-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-178-0x0000000001340000-0x0000000001342000-memory.dmp

memory/2948-180-0x0000000001350000-0x0000000001352000-memory.dmp

memory/2948-183-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-184-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-185-0x0000000001360000-0x0000000001362000-memory.dmp

memory/2948-187-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-188-0x0000000001370000-0x0000000001372000-memory.dmp

memory/2948-191-0x0000000001380000-0x0000000001382000-memory.dmp

memory/2948-193-0x0000000001390000-0x0000000001392000-memory.dmp

memory/2948-196-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-197-0x00000000013A0000-0x00000000013A2000-memory.dmp

memory/2948-200-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

memory/2948-199-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2948-203-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 08:28

Reported

2024-03-25 08:31

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd901d376b265f0ee7498d5a879c3492.dll,#1

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\341d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A
N/A N/A C:\Windows\SysWOW64\341d.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2EEF308-7B8A-4274-804F-D4433968632D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B2EEF308-7B8A-4274-804F-D4433968632D}\ C:\Windows\SysWOW64\regsvr32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\341d.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\3bef.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\a1l8.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\a1l8.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\144d.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b34o.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\Dö'-20615187 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\341e.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b34o.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\1ba4.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b4cb.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b4cb.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\b3fs.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\4f3r.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\4f3r.dlltmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\14rb.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\s.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A
File opened for modification C:\Windows\SysWOW64\34ua.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\186 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\f6f.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\4bad.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ba8u.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\14ba.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\8f6.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\6f1u.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\a8fd.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ba8d.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\bf14.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\a34b.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\a8f.flv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ba8d.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Tasks\ms.job C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\TypeLib\ = "{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID\ = "{B2EEF308-7B8A-4274-804F-D4433968632D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer\ = "BHO.TttPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID\ = "{B2EEF308-7B8A-4274-804F-D4433968632D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ = "ITttPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\ = "CTttPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib\ = "{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\ = "CTttPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\ = "CTttPlayer Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\ProgID\ = "BHO.TttPlayer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\VersionIndependentProgID\ = "BHO.TttPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\TypeLib\ = "{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E1E4EF-5B18-4DDD-84BC-AD908FEC79A1}\ = "ITttPlayer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2EEF308-7B8A-4274-804F-D4433968632D}\InprocServer32\ThreadingModel = "apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\ = "BHO 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C86BE97D-1F23-4C7D-A4FB-C5289FA9663F}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\341d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2256 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2620 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2692 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2692 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2692 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2692 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2692 wrote to memory of 2164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2692 wrote to memory of 2164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2692 wrote to memory of 2164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 2692 wrote to memory of 2164 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\341d.exe
PID 1592 wrote to memory of 2852 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 2852 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 2852 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 2852 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 2852 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 2852 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 2852 N/A C:\Windows\SysWOW64\341d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 2712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2692 wrote to memory of 2712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2692 wrote to memory of 2712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2692 wrote to memory of 2712 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
PID 2692 wrote to memory of 1876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 1876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2692 wrote to memory of 1876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd901d376b265f0ee7498d5a879c3492.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd901d376b265f0ee7498d5a879c3492.dll,#1

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"

C:\Windows\SysWOW64\341d.exe

C:\Windows\system32/341d.exe -i

C:\Windows\SysWOW64\341d.exe

C:\Windows\system32/341d.exe -s

C:\Windows\SysWOW64\341d.exe

C:\Windows\SysWOW64\341d.exe

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always

Network

Country Destination Domain Proto
US 8.8.8.8:53 yahoo.com.cn udp
US 8.8.8.8:53 122.770304123.cn udp
US 8.8.8.8:53 122.zzso.cn udp

Files

memory/2692-0-0x0000000010000000-0x000000001006D000-memory.dmp

memory/2692-1-0x0000000010000000-0x000000001006D000-memory.dmp

memory/2692-2-0x0000000010000000-0x000000001006D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

MD5 02268d8af6ffbaac8077c11689c1221d
SHA1 5e503420fcc831bc069e62a1a0e6a57514d363a6
SHA256 10974de778c4d0563e86c5c6ec3700b4ef8e6279ffaa34fee87cfc3ce22febea
SHA512 d9fe94f97a669fcea94293441b3d1abd80233803a1223e672f6109db5f9137f41f1c421da1919044caee400ab191dec73af429c86185aa1d3cf1125a00457654

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

MD5 64dd7f03f03e2f84e40595258125df0b
SHA1 ab228f6d8a4bb69278ef2a80699e728a7b0b5d16
SHA256 434cec81fa841146e731ccf6c863a1dedc54f3f95ab86e726c50bc55682a0c35
SHA512 5115eea3b814158bb59027f9d374e91ef05c464b458716711d1d30978d17071396514e247ed6e1b0f8832909058dbee22156142c69d07607641682dec56681b4

memory/2692-3-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2424-58-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2424-59-0x0000000000180000-0x0000000000182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe

MD5 3c07ab61b887494c64d0772629bdaed7
SHA1 13e342c60559b105a3cebf4a54424a1c0984092f
SHA256 674c84c88e67f1a666492d774d03cd7b5f5fd622f23224e621e672ee2c14c8c7
SHA512 03feea03dcee243d9454a2c36d0000e9d8fbd0cc6da3806f1d8d5f2198af2a38b24c8addb129d723668355787493229e8272db3c320e864ad2b46207f5debdff

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

MD5 919810fc7e3999dcb719f2b9d96a8945
SHA1 849b782498d43f970e63afdbce5f3ffb43fc06e8
SHA256 e620019cc2f968b080fb49173d6e140935229e2c3a2d7b0520188b910ab561ac
SHA512 699f5ed3b4bace1b38dece36a3be54faa7c691488cd314e386450542c5621bb73001e50b3e287835596b4dc1fb82d314651fb8a22795683f4b547018695c4545

memory/1592-85-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-86-0x00000000004A0000-0x00000000004A2000-memory.dmp

memory/2852-98-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/2852-116-0x0000000010000000-0x00000000100A5000-memory.dmp

C:\Windows\Temp\tmp.exe

MD5 55b6ec15c63b237452f98646d9d22f07
SHA1 01fe10fb063bf8ee1d2ef59d9c8f54e4e7bd19e5
SHA256 9bd6f6fafaa3713fc6c7e247a299dbec6e927008fb5f653b2dc5f8b7b78db5e3
SHA512 0892d57d538679e325f5a50acaf59ac81c29ff25a967dcfbe0f9dea404e630422398f6d687d32a09ffe7d34b58ea907997c9ca17b1b42399bd173f090d2e5030

memory/2852-101-0x0000000000120000-0x0000000000122000-memory.dmp

memory/2852-99-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/2852-97-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/1876-135-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/1876-134-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/1592-137-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-138-0x00000000004B0000-0x00000000004B2000-memory.dmp

memory/2852-140-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/1592-141-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/1592-143-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-144-0x0000000000760000-0x0000000000762000-memory.dmp

memory/2852-146-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/1592-147-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-148-0x0000000000770000-0x0000000000772000-memory.dmp

memory/1592-150-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-151-0x0000000000780000-0x0000000000782000-memory.dmp

memory/2852-153-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/1592-154-0x0000000000A70000-0x0000000000A72000-memory.dmp

memory/1592-156-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-157-0x0000000000F90000-0x0000000000F92000-memory.dmp

memory/1592-160-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-161-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

memory/1592-163-0x0000000000FB0000-0x0000000000FB2000-memory.dmp

memory/1592-166-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-167-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

memory/1592-169-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-170-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

memory/1592-173-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-174-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

memory/1592-176-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

memory/1592-179-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-180-0x0000000000420000-0x0000000000422000-memory.dmp

memory/1592-182-0x0000000000430000-0x0000000000432000-memory.dmp

memory/1592-185-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-186-0x0000000000440000-0x0000000000442000-memory.dmp

memory/1592-188-0x0000000000450000-0x0000000000452000-memory.dmp

memory/1592-191-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-192-0x0000000000B90000-0x0000000000B92000-memory.dmp

memory/1592-194-0x0000000000A30000-0x0000000000A32000-memory.dmp

memory/1592-197-0x0000000000A40000-0x0000000000A42000-memory.dmp

memory/1592-199-0x0000000000A50000-0x0000000000A52000-memory.dmp

memory/1592-203-0x0000000000A60000-0x0000000000A62000-memory.dmp

memory/1592-202-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-205-0x0000000000BA0000-0x0000000000BA2000-memory.dmp

memory/1592-208-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

memory/1592-210-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-211-0x0000000000BC0000-0x0000000000BC2000-memory.dmp

memory/1592-213-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-215-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

memory/1876-216-0x0000000010000000-0x00000000100A5000-memory.dmp

memory/1592-218-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-219-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

memory/1592-222-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-223-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

memory/1592-225-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-226-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1592-227-0x0000000000C00000-0x0000000000C02000-memory.dmp