Malware Analysis Report

2025-03-15 03:58

Sample ID 240518-pp4j1abf65
Target 7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e
SHA256 7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e
Tags
amadey risepro 18befc c767c0 evasion persistence stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e

Threat Level: Known bad

The file 7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e was found to be: Known bad.

Malicious Activity Summary

amadey risepro 18befc c767c0 evasion persistence stealer themida trojan

Amadey

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 12:31

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 12:31

Reported

2024-05-18 12:33

Platform

win11-20240426-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\169369dbb4.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\169369dbb4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\169369dbb4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\169369dbb4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\169369dbb4.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\169369dbb4.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4624 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4624 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4908 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4908 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4908 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4908 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4908 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4908 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 1724 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1724 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1724 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4908 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\169369dbb4.exe
PID 4908 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\169369dbb4.exe
PID 4908 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\169369dbb4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe

"C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\169369dbb4.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\169369dbb4.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Network

Country Destination Domain Proto
RU 5.42.96.141:80 5.42.96.141 tcp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 52.111.229.43:443 tcp

Files

memory/4624-0-0x0000000000970000-0x0000000000E64000-memory.dmp

memory/4624-1-0x0000000000970000-0x0000000000E64000-memory.dmp

memory/4624-2-0x0000000000970000-0x0000000000E64000-memory.dmp

memory/4624-5-0x0000000000970000-0x0000000000E64000-memory.dmp

memory/4624-6-0x0000000000970000-0x0000000000E64000-memory.dmp

memory/4624-3-0x0000000000970000-0x0000000000E64000-memory.dmp

memory/4624-4-0x0000000000970000-0x0000000000E64000-memory.dmp

memory/4624-8-0x0000000000970000-0x0000000000E64000-memory.dmp

memory/4624-7-0x0000000000970000-0x0000000000E64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 ef8cf80eb251ee210620d0d0346c2502
SHA1 056b635e550dee750368f5f4cccc8d6827959994
SHA256 7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e
SHA512 c27b7375645400e27b29166c4ecda06b4a5387bcc1791de75c0fab2cc2dcf3e71a2e9ad50b42ec014902ff2153d3bc1772a83245e8d7aedad31210f7f8b2850f

memory/4624-21-0x0000000000970000-0x0000000000E64000-memory.dmp

memory/4908-24-0x0000000000340000-0x0000000000834000-memory.dmp

memory/4908-25-0x0000000000340000-0x0000000000834000-memory.dmp

memory/4908-26-0x0000000000340000-0x0000000000834000-memory.dmp

memory/4908-29-0x0000000000340000-0x0000000000834000-memory.dmp

memory/4908-30-0x0000000000340000-0x0000000000834000-memory.dmp

memory/4908-28-0x0000000000340000-0x0000000000834000-memory.dmp

memory/4908-27-0x0000000000340000-0x0000000000834000-memory.dmp

memory/4908-23-0x0000000000340000-0x0000000000834000-memory.dmp

memory/4908-22-0x0000000000340000-0x0000000000834000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 90520da5fd2788ae5f9767d87d9a9e4d
SHA1 4b91a9c45f8c697c9136bb845862180324628a83
SHA256 2b6ad38369505e3301ab891b56557518078bd0d5469a540bbcc37ccf035de580
SHA512 8bc030a139b26dfe7c713574112cc3371b5492067f321103bb63f03704c58e3b94442313042404dbc236d5b7d010025b883baa4e5f3d13e688afdea419c344e1

memory/1724-48-0x0000000000F30000-0x00000000013F5000-memory.dmp

memory/1724-49-0x0000000077E76000-0x0000000077E78000-memory.dmp

memory/1724-62-0x0000000000F30000-0x00000000013F5000-memory.dmp

memory/4908-63-0x0000000000340000-0x0000000000834000-memory.dmp

memory/1532-64-0x0000000000970000-0x0000000000E35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\169369dbb4.exe

MD5 9214a1d6c42be040f5a5951cf837b8d1
SHA1 7cc1dacc64a199fb7446ce056bd4db9ecdd70afe
SHA256 57d84c5ba815f4ed88ebf8fe424cb5dac59d359d046dd14b9d65c8b4c8bbcc9b
SHA512 fd5efc5c64cfe3fde49e63c3437327e509280aed85c0cee37a304ab0516984bfe4757c1beac84e69ed1349ddf801ac58e945f2e506f10a35ea5bf7ec137c2594

memory/2300-83-0x00000000007E0000-0x0000000000E72000-memory.dmp

memory/2300-87-0x00000000007E0000-0x0000000000E72000-memory.dmp

memory/2300-86-0x00000000007E0000-0x0000000000E72000-memory.dmp

memory/2300-84-0x00000000007E0000-0x0000000000E72000-memory.dmp

memory/2300-85-0x00000000007E0000-0x0000000000E72000-memory.dmp

memory/2300-90-0x00000000007E0000-0x0000000000E72000-memory.dmp

memory/2300-91-0x00000000007E0000-0x0000000000E72000-memory.dmp

memory/2300-89-0x00000000007E0000-0x0000000000E72000-memory.dmp

memory/2300-88-0x00000000007E0000-0x0000000000E72000-memory.dmp

memory/4908-92-0x0000000000340000-0x0000000000834000-memory.dmp

memory/1532-94-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/2300-95-0x00000000007E0000-0x0000000000E72000-memory.dmp

memory/1532-97-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/1036-102-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/1532-101-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/2636-107-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2636-106-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2636-105-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2636-104-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2636-108-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2636-111-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2636-109-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2636-110-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2636-112-0x0000000000340000-0x0000000000834000-memory.dmp

memory/1036-113-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/1532-116-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/1532-119-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/1532-122-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/1532-125-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/1532-128-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/1532-132-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/1900-134-0x0000000000970000-0x0000000000E35000-memory.dmp

memory/2024-136-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2024-143-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2024-145-0x0000000000340000-0x0000000000834000-memory.dmp

memory/1900-147-0x0000000000970000-0x0000000000E35000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 12:31

Reported

2024-05-18 12:33

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\4b666edfd3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\4b666edfd3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\4b666edfd3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b666edfd3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\4b666edfd3.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\4b666edfd3.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4668 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4668 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4668 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4436 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4436 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4436 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4436 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4436 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4436 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 3180 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3180 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3180 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4436 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\4b666edfd3.exe
PID 4436 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\4b666edfd3.exe
PID 4436 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\4b666edfd3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe

"C:\Users\Admin\AppData\Local\Temp\7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\4b666edfd3.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\4b666edfd3.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
RU 5.42.96.141:80 5.42.96.141 tcp
RU 5.42.96.7:80 5.42.96.7 tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/4668-0-0x00000000006F0000-0x0000000000BE4000-memory.dmp

memory/4668-1-0x00000000006F0000-0x0000000000BE4000-memory.dmp

memory/4668-3-0x00000000006F0000-0x0000000000BE4000-memory.dmp

memory/4668-2-0x00000000006F0000-0x0000000000BE4000-memory.dmp

memory/4668-4-0x00000000006F0000-0x0000000000BE4000-memory.dmp

memory/4668-7-0x00000000006F0000-0x0000000000BE4000-memory.dmp

memory/4668-6-0x00000000006F0000-0x0000000000BE4000-memory.dmp

memory/4668-5-0x00000000006F0000-0x0000000000BE4000-memory.dmp

memory/4668-8-0x00000000006F0000-0x0000000000BE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 ef8cf80eb251ee210620d0d0346c2502
SHA1 056b635e550dee750368f5f4cccc8d6827959994
SHA256 7f6221f318225f1498f526bdf02b88de49977cf26c83d804a9c96ab7fdd9080e
SHA512 c27b7375645400e27b29166c4ecda06b4a5387bcc1791de75c0fab2cc2dcf3e71a2e9ad50b42ec014902ff2153d3bc1772a83245e8d7aedad31210f7f8b2850f

memory/4436-22-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/4668-21-0x00000000006F0000-0x0000000000BE4000-memory.dmp

memory/4436-23-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/4436-25-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/4436-30-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/4436-28-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/4436-26-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/4436-29-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/4436-27-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/4436-24-0x00000000001F0000-0x00000000006E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 90520da5fd2788ae5f9767d87d9a9e4d
SHA1 4b91a9c45f8c697c9136bb845862180324628a83
SHA256 2b6ad38369505e3301ab891b56557518078bd0d5469a540bbcc37ccf035de580
SHA512 8bc030a139b26dfe7c713574112cc3371b5492067f321103bb63f03704c58e3b94442313042404dbc236d5b7d010025b883baa4e5f3d13e688afdea419c344e1

memory/3180-48-0x0000000000BD0000-0x0000000001095000-memory.dmp

memory/3180-49-0x00000000779F4000-0x00000000779F6000-memory.dmp

memory/2400-64-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/3180-62-0x0000000000BD0000-0x0000000001095000-memory.dmp

memory/4436-63-0x00000000001F0000-0x00000000006E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\4b666edfd3.exe

MD5 9214a1d6c42be040f5a5951cf837b8d1
SHA1 7cc1dacc64a199fb7446ce056bd4db9ecdd70afe
SHA256 57d84c5ba815f4ed88ebf8fe424cb5dac59d359d046dd14b9d65c8b4c8bbcc9b
SHA512 fd5efc5c64cfe3fde49e63c3437327e509280aed85c0cee37a304ab0516984bfe4757c1beac84e69ed1349ddf801ac58e945f2e506f10a35ea5bf7ec137c2594

memory/3248-83-0x00000000008E0000-0x0000000000F72000-memory.dmp

memory/3248-84-0x00000000008E0000-0x0000000000F72000-memory.dmp

memory/3248-85-0x00000000008E0000-0x0000000000F72000-memory.dmp

memory/3248-86-0x00000000008E0000-0x0000000000F72000-memory.dmp

memory/3248-87-0x00000000008E0000-0x0000000000F72000-memory.dmp

memory/3248-88-0x00000000008E0000-0x0000000000F72000-memory.dmp

memory/3248-89-0x00000000008E0000-0x0000000000F72000-memory.dmp

memory/3248-90-0x00000000008E0000-0x0000000000F72000-memory.dmp

memory/3248-91-0x00000000008E0000-0x0000000000F72000-memory.dmp

memory/4436-92-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/2400-94-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/3248-95-0x00000000008E0000-0x0000000000F72000-memory.dmp

memory/2400-97-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/2400-100-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/3860-103-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/3876-107-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/3860-105-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/3860-104-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/3860-110-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/3860-112-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/3860-111-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/3860-109-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/3860-106-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/3860-114-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/3876-116-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/2400-118-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/2400-121-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/2400-124-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/2400-127-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/2400-130-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/2400-133-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/592-139-0x00000000008C0000-0x0000000000D85000-memory.dmp

memory/5028-137-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/5028-136-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/5028-145-0x00000000001F0000-0x00000000006E4000-memory.dmp

memory/592-147-0x00000000008C0000-0x0000000000D85000-memory.dmp