Malware Analysis Report

2025-01-18 22:18

Sample ID 240429-ecp6qshb99
Target f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853
SHA256 f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853
Tags
upx adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853

Threat Level: Known bad

The file f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853 was found to be: Known bad.

Malicious Activity Summary

upx adware persistence stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Installs/modifies Browser Helper Object

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Gathers network information

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-29 03:47

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 03:47

Reported

2024-04-29 03:50

Platform

win7-20240419-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorrer = "C:\\Users\\Admin\\AppData\\Roaming\\AppsData\\Explorrer.exe -notray" C:\Windows\SysWOW64\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 3012 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 3012 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 3012 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 3012 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 3012 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 3012 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 3012 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 3012 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 2980 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2980 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2980 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2980 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2340 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2512 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2512 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2512 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2512 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2512 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2512 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 756 wrote to memory of 804 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 804 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 804 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 804 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 804 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 804 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 804 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2164 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe

"C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"

C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe

"C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QTJDBIRH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Explorrer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray" /f

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 leatrix.org udp
US 8.8.8.8:53 leatrix.org udp
US 8.8.8.8:53 leatrix.org udp
US 8.8.8.8:53 leatrix.org udp

Files

memory/3012-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3012-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3012-4-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2980-23-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3012-22-0x0000000002610000-0x00000000026AC000-memory.dmp

memory/3012-25-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2980-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2980-13-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2980-11-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3012-10-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

memory/3012-9-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

memory/2980-7-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3012-6-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3012-5-0x0000000000320000-0x0000000000321000-memory.dmp

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

MD5 98a6adb0cba3a70fec253f835ec0bf5a
SHA1 b78e4e33cdf688070c73efa428d886319f0e5264
SHA256 e4ba614090f0ec26b05e3aa02551ce330c4195c37ca119644d6bba78348f7eca
SHA512 62b1e1b9dfcaeaec89b27e9c20c6bb9a0d6503d16101383c6a568989978f31578cf90a1b07d9fce2587f145d7a519fdf83e92d85eb233ef41dd2b4b133306177

memory/2340-38-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2980-37-0x0000000002590000-0x000000000262C000-memory.dmp

memory/2980-42-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2340-43-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2340-46-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2340-45-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2164-61-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-63-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-71-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-69-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-73-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-67-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-83-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-92-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-91-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-89-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-88-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-86-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-85-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-84-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2340-82-0x0000000000400000-0x000000000049C000-memory.dmp

memory/756-96-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2164-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2164-78-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2340-75-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/2164-65-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QTJDBIRH.bat

MD5 02cbdd547ced25f8f7dc814d9169d567
SHA1 fc9697d828dcda615f6edd3e49a55b9307dbd311
SHA256 ec250cdf89523b18688d45fdc11bc93e46547a574ef59e03426c098f6b887c07
SHA512 cec1b6c5d843408e3cb6345a3430d8469a07c09677e1bd4c522c41ee29dbd941236a8dd9963410c69a165f3913c30aa22cfd206e51a59b9ffd160c38e70cfe3f

memory/2512-103-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2164-106-0x0000000000400000-0x0000000000471000-memory.dmp

\Users\Admin\AppData\Roaming\IE\bho.dll

MD5 49a92a33d1775b45b3bd45f8bec24585
SHA1 ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256 976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA512 7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 03:47

Reported

2024-04-29 03:50

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

75s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\ipconfig.exe

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 1920 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 1920 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 1920 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 1920 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 1920 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 1920 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 1920 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe
PID 5060 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 5060 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 5060 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3812 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4488 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4488 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4488 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4488 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4488 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4976 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4976 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4976 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4976 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4976 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4976 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe

"C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"

C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe

"C:\Users\Admin\AppData\Local\Temp\f0a375676a19b0db2294bd1f6e792d477de9f367f07dabadddae1e6c6a669853.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 272

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 leatrix.org udp
US 8.8.8.8:53 leatrix.org udp
US 8.8.8.8:53 leatrix.org udp

Files

memory/1920-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1920-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1920-4-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1920-6-0x0000000002970000-0x0000000002971000-memory.dmp

memory/1920-5-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1920-8-0x00000000056C0000-0x00000000056C1000-memory.dmp

memory/1920-7-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/5060-9-0x0000000000400000-0x0000000000407000-memory.dmp

memory/5060-11-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1920-14-0x0000000000400000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

MD5 332fd0be91557639b36f8c438da4cdb5
SHA1 a68c9bbe82f09b6874197423a8c47344742da401
SHA256 3f9a4e0547000bc5bac4d39c21baa3527572a2cca8986311f2139498642cd875
SHA512 c136d5bb504e1e65675cd48437ddec56621615281a93c7a9b8ff6147d77cf21c3e35163eb66fa78e66e6375d08133d2ae69832c6d99379f335776cbef756af8a

memory/3812-21-0x0000000000400000-0x000000000049C000-memory.dmp

memory/5060-24-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3812-25-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3812-27-0x0000000002330000-0x0000000002331000-memory.dmp

memory/4976-37-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3812-47-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4976-46-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-45-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-44-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-43-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-42-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-41-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-40-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-39-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3812-36-0x00000000043C0000-0x00000000043C1000-memory.dmp

memory/4976-35-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-34-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-32-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3812-26-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4488-52-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4976-53-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-71-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-97-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-96-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\IE\bho.dll

MD5 49a92a33d1775b45b3bd45f8bec24585
SHA1 ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256 976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA512 7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

memory/4976-94-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-93-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-91-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-92-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-90-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-89-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-88-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-86-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-85-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-84-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-83-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-82-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-80-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-79-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-78-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-77-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-76-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-75-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-74-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-73-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-72-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-70-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-68-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-69-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-67-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-66-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-65-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-64-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-95-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-63-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-62-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-61-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-60-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4976-168-0x0000000000400000-0x0000000000471000-memory.dmp