Malware Analysis Report

2025-03-15 03:56

Sample ID 240519-pmbq7shb8y
Target b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a
SHA256 b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a
Tags
themida amadey risepro 18befc c767c0 evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a

Threat Level: Known bad

The file b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a was found to be: Known bad.

Malicious Activity Summary

themida amadey risepro 18befc c767c0 evasion persistence stealer trojan

Amadey

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Identifies Wine through registry keys

Themida packer

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 12:26

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 12:26

Reported

2024-05-19 12:28

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\8bd6bc6971.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\65e00feeb2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\65e00feeb2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\8bd6bc6971.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\65e00feeb2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\8bd6bc6971.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Users\Admin\1000017002\65e00feeb2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8bd6bc6971.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\8bd6bc6971.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\8bd6bc6971.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 216 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 216 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 216 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4700 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4700 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4700 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4700 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4700 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4700 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 3180 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3180 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3180 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4700 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\8bd6bc6971.exe
PID 4700 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\8bd6bc6971.exe
PID 4700 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\8bd6bc6971.exe
PID 4700 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\65e00feeb2.exe
PID 4700 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\65e00feeb2.exe
PID 4700 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\65e00feeb2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe

"C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\8bd6bc6971.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\8bd6bc6971.exe"

C:\Users\Admin\1000017002\65e00feeb2.exe

"C:\Users\Admin\1000017002\65e00feeb2.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 5.42.96.141:80 5.42.96.141 tcp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 74.196.17.2.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/216-0-0x0000000000E60000-0x0000000001393000-memory.dmp

memory/216-3-0x0000000000E60000-0x0000000001393000-memory.dmp

memory/216-8-0x0000000000E60000-0x0000000001393000-memory.dmp

memory/216-7-0x0000000000E60000-0x0000000001393000-memory.dmp

memory/216-6-0x0000000000E60000-0x0000000001393000-memory.dmp

memory/216-5-0x0000000000E60000-0x0000000001393000-memory.dmp

memory/216-4-0x0000000000E60000-0x0000000001393000-memory.dmp

memory/216-1-0x0000000000E60000-0x0000000001393000-memory.dmp

memory/216-2-0x0000000000E60000-0x0000000001393000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 19a8e6f59fb6b048ccb6f53c5d18e07f
SHA1 5efca42a754037b1599337b0832843ee3bd0aaf3
SHA256 b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a
SHA512 068ba390e2e539dce1156da87f02c0f7e4e717aeb2e1f68d9fa9a0aadc065cd5ef8196c8c72c6060a0a2a17f905cacf74d7eab952e6a02a5e5f831251fa24964

memory/216-21-0x0000000000E60000-0x0000000001393000-memory.dmp

memory/4700-25-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4700-28-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4700-30-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4700-27-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4700-24-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4700-29-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4700-23-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4700-22-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4700-26-0x00000000003B0000-0x00000000008E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 16e41bf10edd66dc4a0f472193f9bdf7
SHA1 f36900689bafe0b56cd26e4e3966b8250ad67976
SHA256 7b15f9a7c0001c2f959e1fd64e239ba8ec4ed49ad9828aa7ad603ae5be846e2f
SHA512 8d0584b67035eb1a60cb9e729e64f9d62119a6e34c6ed5ae3289db61b9275d3dfbc3becd244e279ca83427c14c29122a75b8e014401a073f6dd45c45e47536f7

memory/3180-48-0x0000000000740000-0x0000000000BFE000-memory.dmp

memory/3180-49-0x0000000077314000-0x0000000077316000-memory.dmp

memory/1580-63-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/3180-62-0x0000000000740000-0x0000000000BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\8bd6bc6971.exe

MD5 4d051acbdc003eaafd05b6b6ee76f93d
SHA1 59cf7956a9082d7d6e31f01494e9578a0633b5de
SHA256 ab66ac8473be431fc255fa770527395f24dafeae2aa901e782555b1d89b22ae6
SHA512 e035feef01382a0e3f3dbb3f6faf946a51c2f8e472b2a2eede013bdc46874447ec8734b4f9ec197bc983c4ba59b6a1d9677e35c6871e2ca987c6dbf0c272116f

memory/4700-81-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/3432-83-0x0000000000960000-0x0000000000FDA000-memory.dmp

memory/3432-84-0x0000000000960000-0x0000000000FDA000-memory.dmp

memory/3432-85-0x0000000000960000-0x0000000000FDA000-memory.dmp

memory/3432-86-0x0000000000960000-0x0000000000FDA000-memory.dmp

memory/3432-88-0x0000000000960000-0x0000000000FDA000-memory.dmp

memory/3432-87-0x0000000000960000-0x0000000000FDA000-memory.dmp

memory/3432-89-0x0000000000960000-0x0000000000FDA000-memory.dmp

memory/3432-90-0x0000000000960000-0x0000000000FDA000-memory.dmp

memory/3432-91-0x0000000000960000-0x0000000000FDA000-memory.dmp

memory/2464-107-0x00000000009A0000-0x0000000000E5E000-memory.dmp

memory/2464-109-0x00000000009A0000-0x0000000000E5E000-memory.dmp

memory/4700-110-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/1580-111-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/3432-112-0x0000000000960000-0x0000000000FDA000-memory.dmp

memory/1580-114-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/1580-116-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/4736-120-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/1860-126-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/1860-127-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/1860-124-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/1860-123-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/1860-122-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/1860-125-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/1860-121-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/1860-119-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/1860-128-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4736-129-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/1580-131-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/1580-134-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/1580-136-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/1580-140-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/1580-143-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/1580-146-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/4452-150-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4828-154-0x00000000006C0000-0x0000000000B7E000-memory.dmp

memory/4452-153-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4452-152-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4452-151-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4452-160-0x00000000003B0000-0x00000000008E3000-memory.dmp

memory/4828-162-0x00000000006C0000-0x0000000000B7E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 12:26

Reported

2024-05-19 12:28

Platform

win11-20240426-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\8bd6bc6971.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\dcea715617.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\dcea715617.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\8bd6bc6971.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\8bd6bc6971.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\dcea715617.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\1000017002\8bd6bc6971.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\dcea715617.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\dcea715617.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\dcea715617.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3928 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3928 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2980 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2980 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2980 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2980 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 2980 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 2980 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 2976 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 2976 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 2976 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 2980 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\dcea715617.exe
PID 2980 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\dcea715617.exe
PID 2980 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\dcea715617.exe
PID 2980 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\8bd6bc6971.exe
PID 2980 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\8bd6bc6971.exe
PID 2980 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\8bd6bc6971.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe

"C:\Users\Admin\AppData\Local\Temp\b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\dcea715617.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\dcea715617.exe"

C:\Users\Admin\1000017002\8bd6bc6971.exe

"C:\Users\Admin\1000017002\8bd6bc6971.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Network

Country Destination Domain Proto
RU 5.42.96.141:80 5.42.96.141 tcp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp

Files

memory/3928-0-0x00000000007E0000-0x0000000000D13000-memory.dmp

memory/3928-1-0x00000000007E0000-0x0000000000D13000-memory.dmp

memory/3928-2-0x00000000007E0000-0x0000000000D13000-memory.dmp

memory/3928-3-0x00000000007E0000-0x0000000000D13000-memory.dmp

memory/3928-4-0x00000000007E0000-0x0000000000D13000-memory.dmp

memory/3928-6-0x00000000007E0000-0x0000000000D13000-memory.dmp

memory/3928-5-0x00000000007E0000-0x0000000000D13000-memory.dmp

memory/3928-7-0x00000000007E0000-0x0000000000D13000-memory.dmp

memory/3928-8-0x00000000007E0000-0x0000000000D13000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 19a8e6f59fb6b048ccb6f53c5d18e07f
SHA1 5efca42a754037b1599337b0832843ee3bd0aaf3
SHA256 b2d62d20ec70ede4ce24df6e54fb35923b6258f7ea466bb18252ce37e940d31a
SHA512 068ba390e2e539dce1156da87f02c0f7e4e717aeb2e1f68d9fa9a0aadc065cd5ef8196c8c72c6060a0a2a17f905cacf74d7eab952e6a02a5e5f831251fa24964

memory/3928-21-0x00000000007E0000-0x0000000000D13000-memory.dmp

memory/2980-23-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/2980-29-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/2980-27-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/2980-30-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/2980-28-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/2980-26-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/2980-25-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/2980-24-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/2980-22-0x00000000000B0000-0x00000000005E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 16e41bf10edd66dc4a0f472193f9bdf7
SHA1 f36900689bafe0b56cd26e4e3966b8250ad67976
SHA256 7b15f9a7c0001c2f959e1fd64e239ba8ec4ed49ad9828aa7ad603ae5be846e2f
SHA512 8d0584b67035eb1a60cb9e729e64f9d62119a6e34c6ed5ae3289db61b9275d3dfbc3becd244e279ca83427c14c29122a75b8e014401a073f6dd45c45e47536f7

memory/2976-48-0x00000000002C0000-0x000000000077E000-memory.dmp

memory/2976-49-0x0000000077D46000-0x0000000077D48000-memory.dmp

memory/4140-63-0x0000000000370000-0x000000000082E000-memory.dmp

memory/2976-62-0x00000000002C0000-0x000000000077E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\dcea715617.exe

MD5 4d051acbdc003eaafd05b6b6ee76f93d
SHA1 59cf7956a9082d7d6e31f01494e9578a0633b5de
SHA256 ab66ac8473be431fc255fa770527395f24dafeae2aa901e782555b1d89b22ae6
SHA512 e035feef01382a0e3f3dbb3f6faf946a51c2f8e472b2a2eede013bdc46874447ec8734b4f9ec197bc983c4ba59b6a1d9677e35c6871e2ca987c6dbf0c272116f

memory/4988-82-0x0000000000C00000-0x000000000127A000-memory.dmp

memory/4988-84-0x0000000000C00000-0x000000000127A000-memory.dmp

memory/4988-85-0x0000000000C00000-0x000000000127A000-memory.dmp

memory/4988-87-0x0000000000C00000-0x000000000127A000-memory.dmp

memory/4988-90-0x0000000000C00000-0x000000000127A000-memory.dmp

memory/4988-88-0x0000000000C00000-0x000000000127A000-memory.dmp

memory/4988-89-0x0000000000C00000-0x000000000127A000-memory.dmp

memory/4988-86-0x0000000000C00000-0x000000000127A000-memory.dmp

memory/4988-83-0x0000000000C00000-0x000000000127A000-memory.dmp

memory/5108-107-0x00000000006E0000-0x0000000000B9E000-memory.dmp

memory/2980-101-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/5108-109-0x00000000006E0000-0x0000000000B9E000-memory.dmp

memory/2980-111-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/4140-110-0x0000000000370000-0x000000000082E000-memory.dmp

memory/4988-112-0x0000000000C00000-0x000000000127A000-memory.dmp

memory/4140-114-0x0000000000370000-0x000000000082E000-memory.dmp

memory/4140-115-0x0000000000370000-0x000000000082E000-memory.dmp

memory/1876-120-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/1876-121-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/1876-125-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/1876-126-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/1876-124-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/1876-123-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/1876-122-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/4140-119-0x0000000000370000-0x000000000082E000-memory.dmp

memory/1876-127-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/3268-129-0x0000000000370000-0x000000000082E000-memory.dmp

memory/1876-131-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/3268-132-0x0000000000370000-0x000000000082E000-memory.dmp

memory/4140-135-0x0000000000370000-0x000000000082E000-memory.dmp

memory/4140-138-0x0000000000370000-0x000000000082E000-memory.dmp

memory/4140-141-0x0000000000370000-0x000000000082E000-memory.dmp

memory/4140-144-0x0000000000370000-0x000000000082E000-memory.dmp

memory/4140-147-0x0000000000370000-0x000000000082E000-memory.dmp

memory/1828-152-0x0000000000370000-0x000000000082E000-memory.dmp

memory/4140-151-0x0000000000370000-0x000000000082E000-memory.dmp

memory/2248-156-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/2248-155-0x00000000000B0000-0x00000000005E3000-memory.dmp

memory/1828-164-0x0000000000370000-0x000000000082E000-memory.dmp

memory/2248-166-0x00000000000B0000-0x00000000005E3000-memory.dmp