Malware Analysis Report

2025-03-15 03:58

Sample ID 240519-ke728aaf9s
Target 0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281
SHA256 0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281
Tags
themida amadey 18befc evasion trojan risepro c767c0 persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281

Threat Level: Known bad

The file 0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281 was found to be: Known bad.

Malicious Activity Summary

themida amadey 18befc evasion trojan risepro c767c0 persistence stealer

Amadey

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Themida packer

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 08:31

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 08:31

Reported

2024-05-19 08:34

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe

"C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
RU 5.42.96.141:80 5.42.96.141 tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp

Files

memory/3628-1-0x0000000000330000-0x0000000000890000-memory.dmp

memory/3628-2-0x0000000000330000-0x0000000000890000-memory.dmp

memory/3628-3-0x0000000000330000-0x0000000000890000-memory.dmp

memory/3628-4-0x0000000000330000-0x0000000000890000-memory.dmp

memory/3628-0-0x0000000000330000-0x0000000000890000-memory.dmp

memory/3628-5-0x0000000000330000-0x0000000000890000-memory.dmp

memory/3628-6-0x0000000000330000-0x0000000000890000-memory.dmp

memory/3628-7-0x0000000000330000-0x0000000000890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 a63894cd5aceeab403385eb06e4fd6b0
SHA1 3e4df142ac5f08bc72ce5d5177b3130407a8b785
SHA256 0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281
SHA512 2527822c56b492e3ded906dac902ad5f15b6a9ea859a5d90041ac6a6f33253980af1462268abc7d12683758cd66ac61d3a49f5eeb218cf827c730366307b122f

memory/3628-20-0x0000000000330000-0x0000000000890000-memory.dmp

memory/2028-21-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2028-22-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2028-23-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2028-28-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2028-27-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2028-25-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2028-26-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2028-24-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2028-29-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2280-36-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2280-39-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2280-41-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2280-42-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2280-40-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2280-38-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2280-37-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2280-35-0x0000000000310000-0x0000000000870000-memory.dmp

memory/2280-44-0x0000000000310000-0x0000000000870000-memory.dmp

memory/3336-53-0x0000000000310000-0x0000000000870000-memory.dmp

memory/3336-55-0x0000000000310000-0x0000000000870000-memory.dmp

memory/3336-59-0x0000000000310000-0x0000000000870000-memory.dmp

memory/3336-58-0x0000000000310000-0x0000000000870000-memory.dmp

memory/3336-57-0x0000000000310000-0x0000000000870000-memory.dmp

memory/3336-56-0x0000000000310000-0x0000000000870000-memory.dmp

memory/3336-54-0x0000000000310000-0x0000000000870000-memory.dmp

memory/3336-52-0x0000000000310000-0x0000000000870000-memory.dmp

memory/3336-60-0x0000000000310000-0x0000000000870000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 08:31

Reported

2024-05-19 08:34

Platform

win11-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\fee09a36ba.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\fee09a36ba.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\fee09a36ba.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\fee09a36ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\fee09a36ba.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\fee09a36ba.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 1360 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 1360 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 828 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 828 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 828 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 828 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 828 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 828 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4460 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4460 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4460 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 828 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\fee09a36ba.exe
PID 828 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\fee09a36ba.exe
PID 828 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\fee09a36ba.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe

"C:\Users\Admin\AppData\Local\Temp\0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\fee09a36ba.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\fee09a36ba.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Network

Country Destination Domain Proto
RU 5.42.96.141:80 5.42.96.141 tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
RU 5.42.96.7:80 5.42.96.7 tcp

Files

memory/1360-0-0x00000000006D0000-0x0000000000C30000-memory.dmp

memory/1360-2-0x00000000006D0000-0x0000000000C30000-memory.dmp

memory/1360-3-0x00000000006D0000-0x0000000000C30000-memory.dmp

memory/1360-1-0x00000000006D0000-0x0000000000C30000-memory.dmp

memory/1360-6-0x00000000006D0000-0x0000000000C30000-memory.dmp

memory/1360-7-0x00000000006D0000-0x0000000000C30000-memory.dmp

memory/1360-5-0x00000000006D0000-0x0000000000C30000-memory.dmp

memory/1360-4-0x00000000006D0000-0x0000000000C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 a63894cd5aceeab403385eb06e4fd6b0
SHA1 3e4df142ac5f08bc72ce5d5177b3130407a8b785
SHA256 0dc81099a7d5ed3433254bd1db8f8deecc91af894890cff9577f72c25f49b281
SHA512 2527822c56b492e3ded906dac902ad5f15b6a9ea859a5d90041ac6a6f33253980af1462268abc7d12683758cd66ac61d3a49f5eeb218cf827c730366307b122f

memory/828-24-0x0000000000110000-0x0000000000670000-memory.dmp

memory/828-25-0x0000000000110000-0x0000000000670000-memory.dmp

memory/828-28-0x0000000000110000-0x0000000000670000-memory.dmp

memory/828-27-0x0000000000110000-0x0000000000670000-memory.dmp

memory/828-26-0x0000000000110000-0x0000000000670000-memory.dmp

memory/828-23-0x0000000000110000-0x0000000000670000-memory.dmp

memory/828-22-0x0000000000110000-0x0000000000670000-memory.dmp

memory/828-21-0x0000000000110000-0x0000000000670000-memory.dmp

memory/1360-20-0x00000000006D0000-0x0000000000C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 ec04f77c1b0c8668633d8c5f7d56eafb
SHA1 17153e4876e678d6d8a4229658f19f806b7c5fba
SHA256 5264db25838247b1d56747e7152690dbc27ee42ff91e85a15f56f5d889f13cd5
SHA512 228833bff03c7f683fd5b47df6f13e83e10f99b5163c1c64c0b1bf2c5f1dc9f56ed5448a2e7ba455fa9eae539f1c6a0b1827f0598f454319a7ce2fa4660eb924

memory/4460-46-0x00000000001B0000-0x000000000067C000-memory.dmp

memory/4460-47-0x0000000077676000-0x0000000077678000-memory.dmp

memory/1552-61-0x0000000000060000-0x000000000052C000-memory.dmp

memory/4460-58-0x00000000001B0000-0x000000000067C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\fee09a36ba.exe

MD5 96d2a4238ec438de6c8e9ef6974c8c08
SHA1 342b05f1bb21a9f80b0412ab1c73e5e7db991fc6
SHA256 a5c7fa88ab71edd5e38930be978712ecc4f809e5461c8dcb9e36ea06a2ecc643
SHA512 b4ab53e3c370aed1f9e079f84cd89e3f49addd25a0c540604a878f3c2119f9523ee721cead56aac5ba2da0ce65c3b6681f13bb3ea11e56d1fcec9320c30689de

memory/828-80-0x0000000000110000-0x0000000000670000-memory.dmp

memory/944-81-0x0000000000FF0000-0x0000000001681000-memory.dmp

memory/944-83-0x0000000000FF0000-0x0000000001681000-memory.dmp

memory/944-85-0x0000000000FF0000-0x0000000001681000-memory.dmp

memory/944-84-0x0000000000FF0000-0x0000000001681000-memory.dmp

memory/944-86-0x0000000000FF0000-0x0000000001681000-memory.dmp

memory/944-87-0x0000000000FF0000-0x0000000001681000-memory.dmp

memory/944-88-0x0000000000FF0000-0x0000000001681000-memory.dmp

memory/944-89-0x0000000000FF0000-0x0000000001681000-memory.dmp

memory/944-82-0x0000000000FF0000-0x0000000001681000-memory.dmp

memory/1552-91-0x0000000000060000-0x000000000052C000-memory.dmp

memory/944-92-0x0000000000FF0000-0x0000000001681000-memory.dmp

memory/1552-93-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1552-96-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1552-97-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1552-101-0x0000000000060000-0x000000000052C000-memory.dmp

memory/3144-104-0x0000000000060000-0x000000000052C000-memory.dmp

memory/3000-106-0x0000000000110000-0x0000000000670000-memory.dmp

memory/3000-109-0x0000000000110000-0x0000000000670000-memory.dmp

memory/3000-112-0x0000000000110000-0x0000000000670000-memory.dmp

memory/3000-113-0x0000000000110000-0x0000000000670000-memory.dmp

memory/3000-111-0x0000000000110000-0x0000000000670000-memory.dmp

memory/3000-110-0x0000000000110000-0x0000000000670000-memory.dmp

memory/3000-107-0x0000000000110000-0x0000000000670000-memory.dmp

memory/3000-108-0x0000000000110000-0x0000000000670000-memory.dmp

memory/3000-114-0x0000000000110000-0x0000000000670000-memory.dmp

memory/3144-115-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1552-117-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1552-120-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1552-122-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1552-125-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1552-129-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1552-132-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1472-135-0x0000000000060000-0x000000000052C000-memory.dmp

memory/1808-137-0x0000000000110000-0x0000000000670000-memory.dmp

memory/1808-147-0x0000000000110000-0x0000000000670000-memory.dmp

memory/1472-149-0x0000000000060000-0x000000000052C000-memory.dmp