Malware Analysis Report

2025-03-15 03:56

Sample ID 240520-yejlhsec66
Target 4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb
SHA256 4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb
Tags
themida amadey risepro 18befc c767c0 evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb

Threat Level: Known bad

The file 4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb was found to be: Known bad.

Malicious Activity Summary

themida amadey risepro 18befc c767c0 evasion persistence stealer trojan

RisePro

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Themida packer

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 19:41

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 19:41

Reported

2024-05-20 20:13

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\f775af6acd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\9467a33d55.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\9467a33d55.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\f775af6acd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\f775af6acd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\9467a33d55.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\1000017002\f775af6acd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\1000017002\f775af6acd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9467a33d55.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\9467a33d55.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\9467a33d55.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\1000017002\f775af6acd.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3252 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3252 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3252 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 1388 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 1388 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 1388 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 1388 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 1388 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 1388 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 1388 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\9467a33d55.exe
PID 1388 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\9467a33d55.exe
PID 1388 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\9467a33d55.exe
PID 1388 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\f775af6acd.exe
PID 1388 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\f775af6acd.exe
PID 1388 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\f775af6acd.exe
PID 3104 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3104 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3104 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4076 wrote to memory of 1164 N/A C:\Users\Admin\1000017002\f775af6acd.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4076 wrote to memory of 1164 N/A C:\Users\Admin\1000017002\f775af6acd.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4076 wrote to memory of 1164 N/A C:\Users\Admin\1000017002\f775af6acd.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe

"C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\9467a33d55.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\9467a33d55.exe"

C:\Users\Admin\1000017002\f775af6acd.exe

"C:\Users\Admin\1000017002\f775af6acd.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1332 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.200.42:443 tcp
RU 5.42.96.141:80 5.42.96.141 tcp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

memory/3252-0-0x0000000000FA0000-0x00000000014AA000-memory.dmp

memory/3252-3-0x0000000000FA0000-0x00000000014AA000-memory.dmp

memory/3252-1-0x0000000000FA0000-0x00000000014AA000-memory.dmp

memory/3252-2-0x0000000000FA0000-0x00000000014AA000-memory.dmp

memory/3252-4-0x0000000000FA0000-0x00000000014AA000-memory.dmp

memory/3252-6-0x0000000000FA0000-0x00000000014AA000-memory.dmp

memory/3252-5-0x0000000000FA0000-0x00000000014AA000-memory.dmp

memory/3252-7-0x0000000000FA0000-0x00000000014AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 85c5cd1acfa13f195dffc33a271ff469
SHA1 41bfad138fdd845b75b181391bda478289033a67
SHA256 4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb
SHA512 6c9b3e56d87967feba60f4ea0c70413d1c91945a8820532f4d477b12026b8be9f90fb85ff9c62218fc9a81c92132146f41704f12cfbc053a390a8235536b51e4

memory/3252-16-0x0000000000FA0000-0x00000000014AA000-memory.dmp

memory/1388-21-0x0000000000120000-0x000000000062A000-memory.dmp

memory/3252-20-0x0000000000FA0000-0x00000000014AA000-memory.dmp

memory/1388-24-0x0000000000120000-0x000000000062A000-memory.dmp

memory/1388-23-0x0000000000120000-0x000000000062A000-memory.dmp

memory/1388-26-0x0000000000120000-0x000000000062A000-memory.dmp

memory/1388-28-0x0000000000120000-0x000000000062A000-memory.dmp

memory/1388-27-0x0000000000120000-0x000000000062A000-memory.dmp

memory/1388-25-0x0000000000120000-0x000000000062A000-memory.dmp

memory/1388-22-0x0000000000120000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 22b0728b2f5d134417c2884f7f129df8
SHA1 44f754e4a5896149f16ee8483fa3f1b3bcf5a8c9
SHA256 649ea20c15fa79d1cdfb9efed971b7e90db4cca36a44028e934e52a10db640b4
SHA512 b5b10ad58122f5f541e0ab6043364af04280a31ece608a7be5b718e5e961ce6a16624dd72614a13e6bfa73c2536ad8dd4a24a11feb7d9391d78f33023ad30722

memory/3104-46-0x0000000000F90000-0x0000000001452000-memory.dmp

memory/3104-47-0x0000000077834000-0x0000000077836000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\9467a33d55.exe

MD5 e5c56759e06b678f2fb7c788460188fb
SHA1 e1ff63d838bd8fa32b25cb015af3c668b15ff24d
SHA256 f80e8eadfd4accf901a4a0b3eb57c99a07146e55a157c626ad0c06cee14b9b3d
SHA512 e791399055dec4dfa883cac04d4dad1b2f1df295bd581600d4deee169178ce9765f8cd619087d2eee8ed2f83294b651e53c53f00d2cc4ae8df2f4d67a5abd5e6

memory/1388-68-0x0000000000120000-0x000000000062A000-memory.dmp

memory/4948-67-0x00000000008B0000-0x0000000000F37000-memory.dmp

memory/4948-72-0x00000000008B0000-0x0000000000F37000-memory.dmp

memory/4948-70-0x00000000008B0000-0x0000000000F37000-memory.dmp

memory/4948-71-0x00000000008B0000-0x0000000000F37000-memory.dmp

memory/4948-69-0x00000000008B0000-0x0000000000F37000-memory.dmp

memory/4948-81-0x00000000008B0000-0x0000000000F37000-memory.dmp

memory/4948-84-0x00000000008B0000-0x0000000000F37000-memory.dmp

memory/4948-85-0x00000000008B0000-0x0000000000F37000-memory.dmp

memory/4948-86-0x00000000008B0000-0x0000000000F37000-memory.dmp

memory/4076-96-0x0000000000970000-0x0000000000E32000-memory.dmp

memory/3104-103-0x0000000000F90000-0x0000000001452000-memory.dmp

memory/4924-104-0x0000000000AB0000-0x0000000000F72000-memory.dmp

C:\Windows\Tasks\axplons.job

MD5 cdbc106f0f0c106c2ba1ea397de7c16e
SHA1 96faf5c0e686e57659c98e503134bc9bc4978e48
SHA256 03092e8612f5537626578ed77c2f17a34e28eb1fe7cb8e3176fec64bb1c1f895
SHA512 7dcdf14bff423ea743ccd501e9e668ccd95a6cfc1bb55e9734eb9dd452ff8f230bff6633bd17924227b1c34401e34bb05a1de5c8f6281b891b4da99a1257b56d

memory/4076-108-0x0000000000970000-0x0000000000E32000-memory.dmp

memory/1164-110-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/4924-111-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/1388-112-0x0000000000120000-0x000000000062A000-memory.dmp

memory/4948-113-0x00000000008B0000-0x0000000000F37000-memory.dmp

memory/1164-114-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/1164-117-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/1164-120-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/2012-123-0x0000000000120000-0x000000000062A000-memory.dmp

memory/2676-124-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/2012-126-0x0000000000120000-0x000000000062A000-memory.dmp

memory/2012-127-0x0000000000120000-0x000000000062A000-memory.dmp

memory/2012-128-0x0000000000120000-0x000000000062A000-memory.dmp

memory/2012-129-0x0000000000120000-0x000000000062A000-memory.dmp

memory/2012-130-0x0000000000120000-0x000000000062A000-memory.dmp

memory/2012-125-0x0000000000120000-0x000000000062A000-memory.dmp

memory/2012-131-0x0000000000120000-0x000000000062A000-memory.dmp

memory/2676-132-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/1164-135-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/1164-138-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/1164-140-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/1164-142-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/1164-145-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/1164-150-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/640-154-0x0000000000120000-0x000000000062A000-memory.dmp

memory/3692-157-0x0000000000AB0000-0x0000000000F72000-memory.dmp

memory/640-153-0x0000000000120000-0x000000000062A000-memory.dmp

memory/640-163-0x0000000000120000-0x000000000062A000-memory.dmp

memory/3692-165-0x0000000000AB0000-0x0000000000F72000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 19:41

Reported

2024-05-20 20:13

Platform

win11-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\0027782a30.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\7f1ab25093.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\0027782a30.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\7f1ab25093.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\7f1ab25093.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\0027782a30.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\1000017002\7f1ab25093.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\0027782a30.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\0027782a30.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\0027782a30.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2996 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2996 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2764 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2764 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2764 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2764 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 2764 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 2764 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 1644 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1644 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1644 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 2764 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\0027782a30.exe
PID 2764 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\0027782a30.exe
PID 2764 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\0027782a30.exe
PID 2764 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\7f1ab25093.exe
PID 2764 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\7f1ab25093.exe
PID 2764 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\7f1ab25093.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe

"C:\Users\Admin\AppData\Local\Temp\4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\0027782a30.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\0027782a30.exe"

C:\Users\Admin\1000017002\7f1ab25093.exe

"C:\Users\Admin\1000017002\7f1ab25093.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Network

Country Destination Domain Proto
RU 5.42.96.141:80 5.42.96.141 tcp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp

Files

memory/2996-1-0x0000000000F80000-0x000000000148A000-memory.dmp

memory/2996-0-0x0000000000F80000-0x000000000148A000-memory.dmp

memory/2996-5-0x0000000000F80000-0x000000000148A000-memory.dmp

memory/2996-4-0x0000000000F80000-0x000000000148A000-memory.dmp

memory/2996-7-0x0000000000F80000-0x000000000148A000-memory.dmp

memory/2996-6-0x0000000000F80000-0x000000000148A000-memory.dmp

memory/2996-2-0x0000000000F80000-0x000000000148A000-memory.dmp

memory/2996-3-0x0000000000F80000-0x000000000148A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 85c5cd1acfa13f195dffc33a271ff469
SHA1 41bfad138fdd845b75b181391bda478289033a67
SHA256 4e4b9f938db5ef7bbb2d7387daa53ba04ab39be4e552d137e37c33632f86edbb
SHA512 6c9b3e56d87967feba60f4ea0c70413d1c91945a8820532f4d477b12026b8be9f90fb85ff9c62218fc9a81c92132146f41704f12cfbc053a390a8235536b51e4

memory/2996-20-0x0000000000F80000-0x000000000148A000-memory.dmp

memory/2764-22-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2764-28-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2764-27-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2764-25-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2764-24-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2764-26-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2764-23-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2764-21-0x00000000000B0000-0x00000000005BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 22b0728b2f5d134417c2884f7f129df8
SHA1 44f754e4a5896149f16ee8483fa3f1b3bcf5a8c9
SHA256 649ea20c15fa79d1cdfb9efed971b7e90db4cca36a44028e934e52a10db640b4
SHA512 b5b10ad58122f5f541e0ab6043364af04280a31ece608a7be5b718e5e961ce6a16624dd72614a13e6bfa73c2536ad8dd4a24a11feb7d9391d78f33023ad30722

memory/1644-45-0x0000000000140000-0x0000000000602000-memory.dmp

memory/1644-47-0x00000000774E6000-0x00000000774E8000-memory.dmp

memory/1644-60-0x0000000000140000-0x0000000000602000-memory.dmp

memory/468-61-0x0000000000C20000-0x00000000010E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\0027782a30.exe

MD5 e5c56759e06b678f2fb7c788460188fb
SHA1 e1ff63d838bd8fa32b25cb015af3c668b15ff24d
SHA256 f80e8eadfd4accf901a4a0b3eb57c99a07146e55a157c626ad0c06cee14b9b3d
SHA512 e791399055dec4dfa883cac04d4dad1b2f1df295bd581600d4deee169178ce9765f8cd619087d2eee8ed2f83294b651e53c53f00d2cc4ae8df2f4d67a5abd5e6

memory/2764-80-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2192-85-0x00000000001C0000-0x0000000000847000-memory.dmp

memory/2192-84-0x00000000001C0000-0x0000000000847000-memory.dmp

memory/2192-83-0x00000000001C0000-0x0000000000847000-memory.dmp

memory/2192-86-0x00000000001C0000-0x0000000000847000-memory.dmp

memory/2192-87-0x00000000001C0000-0x0000000000847000-memory.dmp

memory/2192-89-0x00000000001C0000-0x0000000000847000-memory.dmp

memory/2192-82-0x00000000001C0000-0x0000000000847000-memory.dmp

memory/2192-81-0x00000000001C0000-0x0000000000847000-memory.dmp

memory/2192-88-0x00000000001C0000-0x0000000000847000-memory.dmp

memory/4084-105-0x0000000000400000-0x00000000008C2000-memory.dmp

memory/4084-106-0x0000000000400000-0x00000000008C2000-memory.dmp

memory/468-107-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/2764-108-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2192-110-0x00000000001C0000-0x0000000000847000-memory.dmp

memory/468-111-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/468-115-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/468-118-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/2540-121-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/2772-129-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2772-130-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2772-128-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2772-127-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2772-125-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2772-126-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2772-123-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2772-134-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/2540-133-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/468-135-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/468-138-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/468-142-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/468-145-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/468-147-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/468-150-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/440-154-0x0000000000C20000-0x00000000010E2000-memory.dmp

memory/3148-156-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/3148-165-0x00000000000B0000-0x00000000005BA000-memory.dmp

memory/440-167-0x0000000000C20000-0x00000000010E2000-memory.dmp