amadey | 2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205

Analysis

max time kernel
149s
max time network
132s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
12-05-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe
Size

1.8MB
MD5

a545015277adb79890693c2aa95bd1ad
SHA1

64d174ec5dedfc9e25887213221fb171707ef8a7
SHA256

2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205
SHA512

560e9f3bc48a8e40133336f320feb22774c0da73c6947af4a159b881086ab07d60326f63c4cd41041fee23b9223188243ce1a121cdb200751ef068bf9499eb37
SSDEEP

49152:ZpvNociR3yxx1JLSYwy9AdBVoHwVC5Sm2EfR/kCN:dOgDhSThxkFDS

Score

10^/10

amadey risepro evasion persistence spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.141

http://5.42.96.7

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorku.exeamers.exeaxplons.exeaxplons.exeexplorku.exe2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exeexplorku.exeaxplons.exeexplorku.exef2e3cbf6ad.exeexplorku.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f2e3cbf6ad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplons.exeexplorku.exef2e3cbf6ad.exeaxplons.exe2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exeexplorku.exeamers.exeexplorku.exeaxplons.exeexplorku.exeexplorku.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f2e3cbf6ad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f2e3cbf6ad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe

Executes dropped EXE 11 IoCs

Processes:

explorku.exeexplorku.exeamers.exeaxplons.exeexplorku.exef2e3cbf6ad.exeinstaller.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exe

pid	Process
2728	explorku.exe
4264	explorku.exe
1080	amers.exe
4908	axplons.exe
3432	explorku.exe
1072	f2e3cbf6ad.exe
4992	installer.exe
4732	axplons.exe
3972	explorku.exe
3912	axplons.exe
3928	explorku.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorku.exeaxplons.exeexplorku.exeaxplons.exe2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exeexplorku.exeamers.exeaxplons.exeexplorku.exeexplorku.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	explorku.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	explorku.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	explorku.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	explorku.exe
Key opened	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine	explorku.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/files/0x000100000002a9d7-100.dat	themida
behavioral2/memory/1072-114-0x00000000004B0000-0x0000000000B29000-memory.dmp	themida
behavioral2/memory/1072-115-0x00000000004B0000-0x0000000000B29000-memory.dmp	themida
behavioral2/memory/1072-118-0x00000000004B0000-0x0000000000B29000-memory.dmp	themida
behavioral2/memory/1072-116-0x00000000004B0000-0x0000000000B29000-memory.dmp	themida
behavioral2/memory/1072-117-0x00000000004B0000-0x0000000000B29000-memory.dmp	themida
behavioral2/memory/1072-119-0x00000000004B0000-0x0000000000B29000-memory.dmp	themida
behavioral2/memory/1072-122-0x00000000004B0000-0x0000000000B29000-memory.dmp	themida
behavioral2/memory/1072-121-0x00000000004B0000-0x0000000000B29000-memory.dmp	themida
behavioral2/memory/1072-120-0x00000000004B0000-0x0000000000B29000-memory.dmp	themida
behavioral2/memory/1072-157-0x00000000004B0000-0x0000000000B29000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorku.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\f2e3cbf6ad.exe = "C:\\Users\\Admin\\1000006002\\f2e3cbf6ad.exe"	explorku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\installer.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000011001\\installer.exe"	explorku.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f2e3cbf6ad.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f2e3cbf6ad.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exeexplorku.exeexplorku.exeamers.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exe

pid	Process
2404	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe
2728	explorku.exe
4264	explorku.exe
1080	amers.exe
4908	axplons.exe
3432	explorku.exe
4732	axplons.exe
3972	explorku.exe
3912	axplons.exe
3928	explorku.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

explorku.exe

description	pid	Process	procid_target
PID 2728 set thread context of 4264	2728	explorku.exe	83

Drops file in Windows directory 2 IoCs

Processes:

2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exeamers.exe

description	ioc	Process
File created	C:\Windows\Tasks\explorku.job	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exeexplorku.exeexplorku.exeamers.exeaxplons.exeexplorku.exeinstaller.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exe

pid	Process
2404	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe
2404	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe
2728	explorku.exe
2728	explorku.exe
4264	explorku.exe
4264	explorku.exe
1080	amers.exe
1080	amers.exe
4908	axplons.exe
4908	axplons.exe
3432	explorku.exe
3432	explorku.exe
4992	installer.exe
4992	installer.exe
4732	axplons.exe
4732	axplons.exe
3972	explorku.exe
3972	explorku.exe
3912	axplons.exe
3912	axplons.exe
3928	explorku.exe
3928	explorku.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

installer.exe

description	pid	Process
Token: SeDebugPrivilege	4992	installer.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exeexplorku.exeamers.exe

description	pid	Process	procid_target
PID 2404 wrote to memory of 2728	2404	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe	82
PID 2404 wrote to memory of 2728	2404	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe	82
PID 2404 wrote to memory of 2728	2404	2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe	82
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 4264	2728	explorku.exe	83
PID 2728 wrote to memory of 1080	2728	explorku.exe	84
PID 2728 wrote to memory of 1080	2728	explorku.exe	84
PID 2728 wrote to memory of 1080	2728	explorku.exe	84
PID 1080 wrote to memory of 4908	1080	amers.exe	85
PID 1080 wrote to memory of 4908	1080	amers.exe	85
PID 1080 wrote to memory of 4908	1080	amers.exe	85
PID 2728 wrote to memory of 1072	2728	explorku.exe	87
PID 2728 wrote to memory of 1072	2728	explorku.exe	87
PID 2728 wrote to memory of 1072	2728	explorku.exe	87
PID 2728 wrote to memory of 4992	2728	explorku.exe	88
PID 2728 wrote to memory of 4992	2728	explorku.exe	88

C:\Users\Admin\AppData\Local\Temp\2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe
"C:\Users\Admin\AppData\Local\Temp\2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
  "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4264
- - C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:4908
- - C:\Users\Admin\1000006002\f2e3cbf6ad.exe
    "C:\Users\Admin\1000006002\f2e3cbf6ad.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1072
- - C:\Users\Admin\AppData\Local\Temp\1000011001\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\1000011001\installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4992

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3432

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3912

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000006002\f2e3cbf6ad.exe

Filesize
2.1MB

MD5
ba7a6e2153260b9b3acc44afc052354a

SHA1
8c3c64aceb59f36d4cae124961c71b1dd7e7e8de

SHA256
b1dc825eb3cb0d4cb5a09168d33df436ed151f29eef926c274c9a7cf1b8bb6a3

SHA512
34f3b507c9ae5e2307c07c2227fd813e50684734077f6e0b1b72db27a64877f2266296f7e6898efedb0ef3baaf2c09e8d11529169573146460da15c6768e81be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe

Filesize
1.8MB

MD5
28c474451853446abe7971cf9d2c4b4c

SHA1
7cb24e9633034b04ef8bd294c5df2240259c28c5

SHA256
7ae609ce947e005ddfd6bba4505a5cd5ec897e8bf55d304e2d8a56fa961f545d

SHA512
3dbdb4d8edd84a31633f6e613f61c4636f41ba306dc9a3b2febdedfa9b3dfe61c6d13514ba9daf1ae619b4f3444ecc10ed4138fb0480f9839083996aa0f93c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\installer.exe

Filesize
621KB

MD5
611a4246c5aabf1594344d7bd3fccb4c

SHA1
cf0e6b3ecb479a8bdb7421090ecc89148db9f83b

SHA256
aa34e0bb1a7400fd7430922307c36441290730d07f48f982f01d4bad2fde3d0e

SHA512
0daff7de219bcc38ddc8ddf261993b6e870605fbf6ec194e08651b293008a8a42c0c13780482f7fc45e3a5f509b644430311cb382be632075544e61dc63fe23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Filesize
1.8MB

MD5
a545015277adb79890693c2aa95bd1ad

SHA1
64d174ec5dedfc9e25887213221fb171707ef8a7

SHA256
2048bcca69c7a5f69d1b2fc41ab46116de52fc22e3d165ecd98c37f97d727205

SHA512
560e9f3bc48a8e40133336f320feb22774c0da73c6947af4a159b881086ab07d60326f63c4cd41041fee23b9223188243ce1a121cdb200751ef068bf9499eb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tzgfo5yi.kc2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1072-119-0x00000000004B0000-0x0000000000B29000-memory.dmp

Filesize
6.5MB

Download
memory/1072-122-0x00000000004B0000-0x0000000000B29000-memory.dmp

Filesize
6.5MB

Download
memory/1072-116-0x00000000004B0000-0x0000000000B29000-memory.dmp

Filesize
6.5MB

Download
memory/1072-117-0x00000000004B0000-0x0000000000B29000-memory.dmp

Filesize
6.5MB

Download
memory/1072-118-0x00000000004B0000-0x0000000000B29000-memory.dmp

Filesize
6.5MB

Download
memory/1072-114-0x00000000004B0000-0x0000000000B29000-memory.dmp

Filesize
6.5MB

Download
memory/1072-115-0x00000000004B0000-0x0000000000B29000-memory.dmp

Filesize
6.5MB

Download
memory/1072-157-0x00000000004B0000-0x0000000000B29000-memory.dmp

Filesize
6.5MB

Download
memory/1072-120-0x00000000004B0000-0x0000000000B29000-memory.dmp

Filesize
6.5MB

Download
memory/1072-121-0x00000000004B0000-0x0000000000B29000-memory.dmp

Filesize
6.5MB

Download
memory/1080-86-0x00000000001A0000-0x000000000064B000-memory.dmp

Filesize
4.7MB

Download
memory/1080-73-0x00000000001A0000-0x000000000064B000-memory.dmp

Filesize
4.7MB

Download
memory/2404-2-0x0000000000691000-0x00000000006BF000-memory.dmp

Filesize
184KB

Download
memory/2404-5-0x0000000000690000-0x0000000000B51000-memory.dmp

Filesize
4.8MB

Download
memory/2404-17-0x0000000000690000-0x0000000000B51000-memory.dmp

Filesize
4.8MB

Download
memory/2404-1-0x0000000077726000-0x0000000077728000-memory.dmp

Filesize
8KB

Download
memory/2404-0-0x0000000000690000-0x0000000000B51000-memory.dmp

Filesize
4.8MB

Download
memory/2404-3-0x0000000000690000-0x0000000000B51000-memory.dmp

Filesize
4.8MB

Download
memory/2728-156-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-20-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-161-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-166-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-265-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-270-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-18-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-19-0x0000000000CD1000-0x0000000000CFF000-memory.dmp

Filesize
184KB

Download
memory/2728-92-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-57-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-93-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-87-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-97-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-21-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/2728-94-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/3432-91-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/3432-90-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/3912-314-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/3912-310-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/3928-316-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/3928-312-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/3972-281-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/3972-279-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/4264-52-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-46-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-51-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-32-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-30-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-35-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-33-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-34-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-36-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-37-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-40-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-39-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-41-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-42-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-49-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-53-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-55-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-56-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-54-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-24-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-50-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-27-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-28-0x0000000000CD0000-0x0000000001191000-memory.dmp

Filesize
4.8MB

Download
memory/4264-29-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-31-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-38-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-43-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-48-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-44-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-45-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4264-47-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4732-273-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/4732-275-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/4908-159-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/4908-164-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/4908-88-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/4908-150-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/4908-263-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/4908-158-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/4908-268-0x0000000000330000-0x00000000007DB000-memory.dmp

Filesize
4.7MB

Download
memory/4992-155-0x000000001D0A0000-0x000000001D0BC000-memory.dmp

Filesize
112KB

Download
memory/4992-160-0x000000001FB90000-0x000000001FD43000-memory.dmp

Filesize
1.7MB

Download
memory/4992-154-0x000000001CD90000-0x000000001CF52000-memory.dmp

Filesize
1.8MB

Download
memory/4992-153-0x000000001D0F0000-0x000000001D618000-memory.dmp

Filesize
5.2MB

Download
memory/4992-152-0x0000000002B90000-0x0000000002B9A000-memory.dmp

Filesize
40KB

Download
memory/4992-151-0x0000000002B20000-0x0000000002B42000-memory.dmp

Filesize
136KB

Download
memory/4992-168-0x000000001B720000-0x000000001B732000-memory.dmp

Filesize
72KB

Download
memory/4992-141-0x0000000000540000-0x00000000005E2000-memory.dmp

Filesize
648KB

Download