Malware Analysis Report

2025-01-18 22:05

Sample ID 240503-xqbvdadd2v
Target 16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021
SHA256 16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021
Tags
adware stealer upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021

Threat Level: Known bad

The file 16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021 was found to be: Known bad.

Malicious Activity Summary

adware stealer upx persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Installs/modifies Browser Helper Object

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Gathers network information

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-03 19:03

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 19:03

Reported

2024-05-03 19:05

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\ipconfig.exe

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 1732 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1732 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1732 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2228 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2228 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2228 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2228 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2228 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3032 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3032 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3032 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3032 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3032 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3032 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe

"C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe"

C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe

"C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2900 -ip 2900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 272

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 leatrix.org udp
US 15.197.142.173:80 leatrix.org tcp
US 15.197.142.173:80 leatrix.org tcp
US 8.8.8.8:53 173.142.197.15.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1312-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1312-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1312-4-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1312-8-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/1312-7-0x00000000056A0000-0x00000000056A1000-memory.dmp

memory/1312-6-0x0000000004330000-0x0000000004331000-memory.dmp

memory/1312-5-0x0000000002160000-0x0000000002161000-memory.dmp

memory/1732-9-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1732-11-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1312-15-0x0000000000400000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

MD5 770db4eda9e67fef368fbaec125e01e0
SHA1 d068e21e5333d3830e6edb7337097bd01c84954c
SHA256 1fe01c2cd3377f5290e1eff3d0a764ced91e609992a6a7704615e76c7c097f4f
SHA512 59a469195fa88697c4e4dde44be7b4191d9431654eef4b2da247841b950bb20f5ee117c2a81df4f437ff5ce546b65dc9b8e0d61bb69cade377a819e0c9eb7a73

memory/4088-21-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1732-24-0x0000000000410000-0x00000000004D9000-memory.dmp

memory/1732-26-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4088-27-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4088-33-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3032-51-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2228-50-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3032-47-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-46-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-45-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-44-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-43-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-42-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-85-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-78-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-75-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-63-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-61-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-41-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-40-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4088-39-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3032-37-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-36-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-34-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-96-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-97-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\IE\bho.dll

MD5 49a92a33d1775b45b3bd45f8bec24585
SHA1 ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256 976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA512 7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

memory/3032-95-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-93-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-94-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-89-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-92-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-91-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-90-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-88-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-86-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-84-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-83-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-82-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-80-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-79-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-77-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-76-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-74-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-73-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-72-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-71-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-70-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-69-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-68-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-67-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-66-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-65-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2228-168-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3032-64-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-62-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-60-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-53-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3032-171-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 19:03

Reported

2024-05-03 19:05

Platform

win7-20240221-en

Max time kernel

141s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorrer = "C:\\Users\\Admin\\AppData\\Roaming\\AppsData\\Explorrer.exe -notray" C:\Windows\SysWOW64\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 2940 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 2940 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 2940 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 2940 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 2940 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 2940 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 2940 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 2940 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe
PID 1296 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1296 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1296 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1296 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2460 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2460 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2460 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2460 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2460 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2460 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1640 wrote to memory of 1988 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1988 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1988 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1988 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 820 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2736 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe

"C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe"

C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe

"C:\Users\Admin\AppData\Local\Temp\16be22997addc7a32e4949fd5f2cc83de24c35ee4518e825366406150c26c021.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TMLTHGID.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Explorrer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray" /f

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 leatrix.org udp
US 15.197.142.173:80 leatrix.org tcp
US 15.197.142.173:80 leatrix.org tcp

Files

memory/2940-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2940-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2940-4-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2940-24-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1296-23-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2940-22-0x0000000005FF0000-0x000000000608C000-memory.dmp

memory/2940-21-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2940-20-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2940-19-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2940-18-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1296-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1296-9-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1296-7-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1296-5-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1296-37-0x0000000002590000-0x000000000262C000-memory.dmp

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

MD5 c0319ccb2b501b0606d39568b009dcf6
SHA1 e310cdd87b28f0ea49e8a6cb2419262a564f34bb
SHA256 9a36463488749df0ecd72038e574f30eab44d6c68a67d56a22e03c957bcf553b
SHA512 026a8a22bf3aaf2f5bbdf335a9919e5464b39123babac4a265ea88481bc1de2a815a67924af67100b6db0adb5475fe057934c208a0f53feb24b83d308b31fb07

memory/1296-40-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2588-41-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2736-60-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1640-93-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2736-80-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-79-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2588-78-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2736-77-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2588-72-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2736-70-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-68-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-66-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-64-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-62-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-58-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-88-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-86-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-85-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-84-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMLTHGID.bat

MD5 02cbdd547ced25f8f7dc814d9169d567
SHA1 fc9697d828dcda615f6edd3e49a55b9307dbd311
SHA256 ec250cdf89523b18688d45fdc11bc93e46547a574ef59e03426c098f6b887c07
SHA512 cec1b6c5d843408e3cb6345a3430d8469a07c09677e1bd4c522c41ee29dbd941236a8dd9963410c69a165f3913c30aa22cfd206e51a59b9ffd160c38e70cfe3f

memory/2736-83-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2736-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2460-100-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2736-75-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\IE\bho.dll

MD5 49a92a33d1775b45b3bd45f8bec24585
SHA1 ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256 976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA512 7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

memory/2736-216-0x0000000000400000-0x0000000000471000-memory.dmp