Malware Analysis Report

2025-03-15 03:56

Sample ID 240520-kbs4wscc5w
Target 5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32
SHA256 5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32
Tags
themida amadey risepro 18befc c767c0 evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32

Threat Level: Known bad

The file 5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32 was found to be: Known bad.

Malicious Activity Summary

themida amadey risepro 18befc c767c0 evasion persistence stealer trojan

RisePro

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Themida packer

Checks BIOS information in registry

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 08:25

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 08:25

Reported

2024-05-20 08:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\d1da18259a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\d1da18259a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\d1da18259a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\1000017002\d1da18259a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01fda08792.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\01fda08792.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4408 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4408 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4408 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4244 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4244 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4244 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 2448 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 2448 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 2448 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4244 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe
PID 4244 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe
PID 4244 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe
PID 4244 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\d1da18259a.exe
PID 4244 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\d1da18259a.exe
PID 4244 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\d1da18259a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe

"C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe"

C:\Users\Admin\1000017002\d1da18259a.exe

"C:\Users\Admin\1000017002\d1da18259a.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 5.42.96.141:80 5.42.96.141 tcp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 137.61.62.23.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/4408-0-0x0000000000350000-0x000000000082F000-memory.dmp

memory/4408-3-0x0000000000350000-0x000000000082F000-memory.dmp

memory/4408-2-0x0000000000350000-0x000000000082F000-memory.dmp

memory/4408-5-0x0000000000350000-0x000000000082F000-memory.dmp

memory/4408-7-0x0000000000350000-0x000000000082F000-memory.dmp

memory/4408-6-0x0000000000350000-0x000000000082F000-memory.dmp

memory/4408-4-0x0000000000350000-0x000000000082F000-memory.dmp

memory/4408-1-0x0000000000350000-0x000000000082F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 b06621cf3c68e539d210a08eb7e42706
SHA1 43edb75c077a591bb04025d0d09a0bad858077e7
SHA256 5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32
SHA512 da63de92955cbc10d880542d83bd1b14226c0032e8cb081658875aad791aa2f419726eb52ea9b1c45f8df16bd5fa3972e560552bd81ef092b4f0feb0754e1be3

memory/4408-20-0x0000000000350000-0x000000000082F000-memory.dmp

memory/4244-24-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4244-26-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4244-25-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4244-23-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4244-22-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4244-28-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4244-27-0x0000000000320000-0x00000000007FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 6c6988bb83df30c3eb68c1210c8d6a9a
SHA1 587292f60e1a5ed26291ae25df8b2ddaf2af0794
SHA256 9f02bfc13411cf191a9de7c4290ae2c2c277d4fd6f251455200756e81b3bbc0c
SHA512 fa90377483b463161f79f76622e7c4a72efbbf15b77c3e99fbc75d6f9ab31f02d96204c764fe8a66af3949e6d20ce91d36d2c86942b49b6bd9cd7a0fca5a6c41

memory/2448-46-0x0000000000770000-0x0000000000C32000-memory.dmp

memory/4244-45-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/2448-48-0x0000000077BF4000-0x0000000077BF6000-memory.dmp

memory/2448-49-0x0000000000771000-0x000000000079F000-memory.dmp

memory/1392-63-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/2448-61-0x0000000000770000-0x0000000000C32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe

MD5 02ee31d0891af2f82731fdad32078da0
SHA1 2dd1a1f539d4d4af793e660d9afe480820991ea2
SHA256 1d81c7cd634ad75ce6367c12f2c320c0b25494ea0dd204dfbcca007ca50c9fbe
SHA512 bb7fa0a65983eb6378bf0deea25f7f4d77fffc81a8a53669fb0556424ec6762d4cf23bc31281f4fa2e888d4d3000c969d3df91735705308ae3246980898bffd3

memory/4340-82-0x0000000000680000-0x0000000000D00000-memory.dmp

memory/4340-83-0x0000000000680000-0x0000000000D00000-memory.dmp

memory/4340-85-0x0000000000680000-0x0000000000D00000-memory.dmp

memory/4340-84-0x0000000000680000-0x0000000000D00000-memory.dmp

memory/4340-86-0x0000000000680000-0x0000000000D00000-memory.dmp

memory/4340-87-0x0000000000680000-0x0000000000D00000-memory.dmp

memory/4340-89-0x0000000000680000-0x0000000000D00000-memory.dmp

memory/4340-90-0x0000000000680000-0x0000000000D00000-memory.dmp

memory/4340-88-0x0000000000680000-0x0000000000D00000-memory.dmp

memory/4244-105-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/5064-108-0x0000000000BC0000-0x0000000001082000-memory.dmp

memory/4244-107-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/5064-109-0x0000000000BC0000-0x0000000001082000-memory.dmp

memory/1392-110-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/4340-111-0x0000000000680000-0x0000000000D00000-memory.dmp

memory/1392-113-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/1392-115-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/1392-117-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/4052-122-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4052-127-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4052-123-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4052-131-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/3476-130-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/4052-129-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4052-128-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4052-126-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4052-124-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/1392-125-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/4052-133-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/3476-135-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/1392-138-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/1392-141-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/1392-144-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/1392-147-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/1392-150-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/1392-153-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/2376-159-0x00000000009F0000-0x0000000000EB2000-memory.dmp

memory/4940-164-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/4940-166-0x0000000000320000-0x00000000007FF000-memory.dmp

memory/2376-168-0x00000000009F0000-0x0000000000EB2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 08:25

Reported

2024-05-20 08:28

Platform

win11-20240419-en

Max time kernel

145s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\8203f13870.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\8203f13870.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\8203f13870.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\1000017002\8203f13870.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\01fda08792.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\01fda08792.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2940 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2940 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2792 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2792 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2792 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2792 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 2792 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 2792 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 2172 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 2172 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 2172 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 2792 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe
PID 2792 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe
PID 2792 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe
PID 2792 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\8203f13870.exe
PID 2792 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\8203f13870.exe
PID 2792 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\8203f13870.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe

"C:\Users\Admin\AppData\Local\Temp\5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe"

C:\Users\Admin\1000017002\8203f13870.exe

"C:\Users\Admin\1000017002\8203f13870.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
RU 5.42.96.141:80 5.42.96.141 tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp

Files

memory/2940-0-0x0000000000FE0000-0x00000000014BF000-memory.dmp

memory/2940-1-0x0000000000FE0000-0x00000000014BF000-memory.dmp

memory/2940-3-0x0000000000FE0000-0x00000000014BF000-memory.dmp

memory/2940-2-0x0000000000FE0000-0x00000000014BF000-memory.dmp

memory/2940-7-0x0000000000FE0000-0x00000000014BF000-memory.dmp

memory/2940-6-0x0000000000FE0000-0x00000000014BF000-memory.dmp

memory/2940-5-0x0000000000FE0000-0x00000000014BF000-memory.dmp

memory/2940-4-0x0000000000FE0000-0x00000000014BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 b06621cf3c68e539d210a08eb7e42706
SHA1 43edb75c077a591bb04025d0d09a0bad858077e7
SHA256 5a2cec4e1c9014b11eaef47d7e333d74b24b3809dea8f4742332fdec54654e32
SHA512 da63de92955cbc10d880542d83bd1b14226c0032e8cb081658875aad791aa2f419726eb52ea9b1c45f8df16bd5fa3972e560552bd81ef092b4f0feb0754e1be3

memory/2940-18-0x0000000000FE0000-0x00000000014BF000-memory.dmp

memory/2792-20-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2792-22-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2792-26-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2792-27-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2792-25-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2792-24-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2792-21-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2792-23-0x0000000000C10000-0x00000000010EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 6c6988bb83df30c3eb68c1210c8d6a9a
SHA1 587292f60e1a5ed26291ae25df8b2ddaf2af0794
SHA256 9f02bfc13411cf191a9de7c4290ae2c2c277d4fd6f251455200756e81b3bbc0c
SHA512 fa90377483b463161f79f76622e7c4a72efbbf15b77c3e99fbc75d6f9ab31f02d96204c764fe8a66af3949e6d20ce91d36d2c86942b49b6bd9cd7a0fca5a6c41

memory/2172-45-0x0000000000780000-0x0000000000C42000-memory.dmp

memory/2172-46-0x0000000077736000-0x0000000077738000-memory.dmp

memory/2172-59-0x0000000000780000-0x0000000000C42000-memory.dmp

memory/2792-60-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/4760-61-0x0000000000010000-0x00000000004D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\01fda08792.exe

MD5 02ee31d0891af2f82731fdad32078da0
SHA1 2dd1a1f539d4d4af793e660d9afe480820991ea2
SHA256 1d81c7cd634ad75ce6367c12f2c320c0b25494ea0dd204dfbcca007ca50c9fbe
SHA512 bb7fa0a65983eb6378bf0deea25f7f4d77fffc81a8a53669fb0556424ec6762d4cf23bc31281f4fa2e888d4d3000c969d3df91735705308ae3246980898bffd3

memory/3788-80-0x0000000000EF0000-0x0000000001570000-memory.dmp

memory/3788-84-0x0000000000EF0000-0x0000000001570000-memory.dmp

memory/3788-83-0x0000000000EF0000-0x0000000001570000-memory.dmp

memory/3788-85-0x0000000000EF0000-0x0000000001570000-memory.dmp

memory/3788-86-0x0000000000EF0000-0x0000000001570000-memory.dmp

memory/3788-82-0x0000000000EF0000-0x0000000001570000-memory.dmp

memory/3788-81-0x0000000000EF0000-0x0000000001570000-memory.dmp

memory/3788-87-0x0000000000EF0000-0x0000000001570000-memory.dmp

memory/3788-88-0x0000000000EF0000-0x0000000001570000-memory.dmp

memory/4132-104-0x0000000000A10000-0x0000000000ED2000-memory.dmp

memory/4132-105-0x0000000000A10000-0x0000000000ED2000-memory.dmp

memory/2792-106-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2940-107-0x0000000000FE0000-0x00000000014BF000-memory.dmp

memory/4760-108-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/3788-109-0x0000000000EF0000-0x0000000001570000-memory.dmp

memory/4760-111-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4760-113-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4760-115-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4760-118-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/2700-121-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2700-125-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2700-128-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2700-127-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2700-126-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2700-124-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2700-123-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/2700-122-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/3008-130-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/2700-132-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/3008-133-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4760-135-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4760-138-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4760-141-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4760-144-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4760-147-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4760-150-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4520-155-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/4396-162-0x0000000000010000-0x00000000004D2000-memory.dmp

memory/4520-164-0x0000000000C10000-0x00000000010EF000-memory.dmp

memory/4396-166-0x0000000000010000-0x00000000004D2000-memory.dmp