Malware Analysis Report

2025-01-18 22:15

Sample ID 240429-254k6adg21
Target 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de
SHA256 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de
Tags
upx adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de

Threat Level: Known bad

The file 77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de was found to be: Known bad.

Malicious Activity Summary

upx adware persistence stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Installs/modifies Browser Helper Object

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies registry key

Gathers network information

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-29 23:10

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 23:10

Reported

2024-04-29 23:13

Platform

win7-20240221-en

Max time kernel

143s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorrer = "C:\\Users\\Admin\\AppData\\Roaming\\AppsData\\Explorrer.exe -notray" C:\Windows\SysWOW64\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 2772 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 2772 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 2772 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 2772 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 2772 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 2772 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 2772 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 2772 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 2956 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2956 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2956 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2956 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1444 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1444 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1444 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1444 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1444 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1444 wrote to memory of 840 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 840 wrote to memory of 1944 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1944 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1944 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 1944 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1944 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1944 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1944 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2388 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2388 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe

"C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"

C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe

"C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LHVUKUNM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Explorrer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray" /f

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 leatrix.org udp
US 15.197.142.173:80 leatrix.org tcp
US 15.197.142.173:80 leatrix.org tcp

Files

memory/2772-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2772-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2772-5-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2772-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2772-7-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2956-21-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2956-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2772-25-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2956-15-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2956-13-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2956-11-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2772-10-0x0000000001E00000-0x0000000001E9C000-memory.dmp

memory/2772-9-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2772-8-0x0000000000520000-0x0000000000521000-memory.dmp

\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

MD5 57880d87727c18229702018c680cd02e
SHA1 a846eff15ad41eab870b09f149ecb6d7fbf55541
SHA256 538204988e058743fd0f1079deffa8610083f087620837f82a6f51c59c7ed1ad
SHA512 7ca9890c9522ebe729fb16dccac796ebcf70cc6bf257f804a98c912a87e62813ae3d03ddfa465ba87a79c0dd6933a3c9882f97ebf0a5d61fdab7ca32ef6576c3

memory/2956-32-0x0000000002540000-0x00000000025DC000-memory.dmp

memory/2956-41-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2512-42-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2512-44-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2388-79-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-78-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2512-81-0x0000000002740000-0x0000000002741000-memory.dmp

memory/2512-80-0x0000000000520000-0x0000000000521000-memory.dmp

memory/2388-76-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-72-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-70-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-68-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-66-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-63-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-61-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-59-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-89-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-88-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-86-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-85-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-84-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-83-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-82-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2388-90-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2512-95-0x0000000000400000-0x000000000049C000-memory.dmp

memory/840-96-0x00000000000C0000-0x00000000000C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LHVUKUNM.bat

MD5 02cbdd547ced25f8f7dc814d9169d567
SHA1 fc9697d828dcda615f6edd3e49a55b9307dbd311
SHA256 ec250cdf89523b18688d45fdc11bc93e46547a574ef59e03426c098f6b887c07
SHA512 cec1b6c5d843408e3cb6345a3430d8469a07c09677e1bd4c522c41ee29dbd941236a8dd9963410c69a165f3913c30aa22cfd206e51a59b9ffd160c38e70cfe3f

memory/1444-103-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Roaming\IE\bho.dll

MD5 49a92a33d1775b45b3bd45f8bec24585
SHA1 ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256 976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA512 7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

memory/2388-219-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 23:10

Reported

2024-04-29 23:13

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

75s

Command Line

"C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\ipconfig.exe

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 4864 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 4864 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 4864 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 4864 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 4864 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 4864 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 4864 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
PID 3508 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3508 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3508 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1236 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4736 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4736 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4736 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4736 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4736 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3652 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3652 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3652 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3652 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3652 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3652 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe

"C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"

C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe

"C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3136 -ip 3136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 272

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 leatrix.org udp
US 8.8.8.8:53 leatrix.org udp
US 8.8.8.8:53 leatrix.org udp

Files

memory/4864-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4864-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4864-4-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4864-6-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/4864-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/4864-7-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/3508-8-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4864-11-0x00000000056C0000-0x00000000056C1000-memory.dmp

memory/3508-10-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4864-13-0x0000000000400000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

MD5 673a6c62664b7d786faca5288c6751cf
SHA1 cc616ac9f0d5439e00b31042ca4962c5d7d57805
SHA256 a33607a103a384d9423640d89920058955cbbd6d993104921592fca9afcbfd9d
SHA512 c5899dcf9202040e953d7b30217820047d1c843b73815387347d2caa3e25fc32fc318078b05f3f8373efe2b78d6bdc11f92ab07a3147c366ff1530f8efaf443a

memory/1236-20-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3508-24-0x0000000000410000-0x00000000004D9000-memory.dmp

memory/3508-26-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1236-27-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1236-28-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1236-29-0x00000000056C0000-0x00000000056C1000-memory.dmp

memory/3652-37-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-36-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1236-38-0x0000000004370000-0x0000000004371000-memory.dmp

memory/3652-34-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-47-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-52-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-46-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-45-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-44-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-43-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-42-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-41-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-40-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1236-51-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4736-55-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3652-56-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-57-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-95-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-98-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-97-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\IE\bho.dll

MD5 49a92a33d1775b45b3bd45f8bec24585
SHA1 ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256 976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA512 7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

memory/3652-96-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-94-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-93-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-92-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-91-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-90-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-89-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-88-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-86-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-85-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-84-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-83-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-82-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-80-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-79-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-78-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-77-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-76-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-75-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-74-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-73-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-72-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-71-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-70-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-69-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-66-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-65-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-68-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-67-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-64-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3652-171-0x0000000000400000-0x0000000000471000-memory.dmp