Malware Analysis Report

2025-03-15 03:59

Sample ID 240521-a6w4xsdb6t
Target 63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60
SHA256 63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60
Tags
themida amadey risepro 18befc c767c0 evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60

Threat Level: Known bad

The file 63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60 was found to be: Known bad.

Malicious Activity Summary

themida amadey risepro 18befc c767c0 evasion persistence stealer trojan

Amadey

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Themida packer

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 00:50

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 00:50

Reported

2024-05-21 00:52

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\6aa9e8da74.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\6961363f38.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\6961363f38.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\6aa9e8da74.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\6961363f38.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\6aa9e8da74.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine C:\Users\Admin\1000017002\6961363f38.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6aa9e8da74.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\6aa9e8da74.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\6aa9e8da74.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3936 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3936 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3936 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4388 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4388 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4388 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4388 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4388 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4388 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4136 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4136 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4136 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4388 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\6aa9e8da74.exe
PID 4388 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\6aa9e8da74.exe
PID 4388 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\6aa9e8da74.exe
PID 4388 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\6961363f38.exe
PID 4388 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\6961363f38.exe
PID 4388 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\6961363f38.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe

"C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\6aa9e8da74.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\6aa9e8da74.exe"

C:\Users\Admin\1000017002\6961363f38.exe

"C:\Users\Admin\1000017002\6961363f38.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
RU 5.42.96.141:80 5.42.96.141 tcp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/3936-3-0x0000000000DB0000-0x00000000012DE000-memory.dmp

memory/3936-1-0x0000000000DB0000-0x00000000012DE000-memory.dmp

memory/3936-0-0x0000000000DB0000-0x00000000012DE000-memory.dmp

memory/3936-2-0x0000000000DB0000-0x00000000012DE000-memory.dmp

memory/3936-6-0x0000000000DB0000-0x00000000012DE000-memory.dmp

memory/3936-4-0x0000000000DB0000-0x00000000012DE000-memory.dmp

memory/3936-5-0x0000000000DB0000-0x00000000012DE000-memory.dmp

memory/3936-7-0x0000000000DB0000-0x00000000012DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 0d67b20d2a7d20ca1bc5d845f4428e7e
SHA1 7ac5f1a6bb3cb3c12df495dc601acb491700cb9b
SHA256 63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60
SHA512 82afa9fc6cadfb92c3db80a59c611874c8e648814786e78ecb828494d92562fc4f9c85b55439305553b65247bedbc47c7ac2509a69e062a415a2306ba617e05b

memory/4388-21-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/3936-20-0x0000000000DB0000-0x00000000012DE000-memory.dmp

memory/4388-22-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4388-24-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4388-23-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4388-25-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4388-28-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4388-27-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4388-26-0x00000000000C0000-0x00000000005EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 8002b0315b11e653bcd1da3f5d46ddec
SHA1 5f4213955ba928cd3c9b9789e666dac6c560045f
SHA256 9c2a0965568f51d317ee1c2eb9bdb12cb39ff4e0c3853b9d526cd208d6f6229b
SHA512 51af13e4158b7930d8eba08558e51e488c3c071319b3bc2f6b2c6d756d92d7857cd0c82e5ca4c24df0ad25950ee3de450d2e9fc050f3413ea1ae974ceb6e7e8d

memory/4136-46-0x0000000001000000-0x00000000014B1000-memory.dmp

memory/4136-47-0x0000000077714000-0x0000000077716000-memory.dmp

memory/1604-61-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/4136-60-0x0000000001000000-0x00000000014B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\6aa9e8da74.exe

MD5 035744987f3bf0c3b8d0dbb5acf38db0
SHA1 e3e3b27cda9421a56bf75365b4e7468fc80e0148
SHA256 9bfb67d9d1ed8687c58ed60cd63c10ad146c8b6caea7fcca693281118697da35
SHA512 740cc54d9d4c73da092d5b13d817843c565880427310f069715e105166d602063b2df7e8d79b5cfb9d2399802003d851e91e156895b763750367fa087ab6b1ca

memory/4544-81-0x0000000000400000-0x0000000000A97000-memory.dmp

memory/4388-80-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4544-83-0x0000000000400000-0x0000000000A97000-memory.dmp

memory/4544-84-0x0000000000400000-0x0000000000A97000-memory.dmp

memory/4544-85-0x0000000000400000-0x0000000000A97000-memory.dmp

memory/4544-82-0x0000000000400000-0x0000000000A97000-memory.dmp

memory/64-101-0x0000000000F20000-0x00000000013D1000-memory.dmp

memory/64-102-0x0000000000F20000-0x00000000013D1000-memory.dmp

memory/1604-103-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/4388-104-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4544-105-0x0000000000400000-0x0000000000A97000-memory.dmp

memory/1604-107-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/1604-110-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/1604-112-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/1916-123-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4316-117-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/1916-118-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/1916-125-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/1916-122-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/1916-124-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/1916-121-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/1916-120-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/1916-119-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/1916-127-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4316-128-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/1604-130-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/1604-133-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/1604-135-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/1604-138-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/1604-142-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/1604-145-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/4316-152-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4316-150-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4316-149-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/884-151-0x00000000005A0000-0x0000000000A51000-memory.dmp

memory/4316-153-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/4316-159-0x00000000000C0000-0x00000000005EE000-memory.dmp

memory/884-161-0x00000000005A0000-0x0000000000A51000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 00:50

Reported

2024-05-21 00:52

Platform

win11-20240419-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\dc8b89d9ec.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\fa83e7a334.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\dc8b89d9ec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\fa83e7a334.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\dc8b89d9ec.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\fa83e7a334.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\1000017002\fa83e7a334.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc8b89d9ec.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\dc8b89d9ec.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\dc8b89d9ec.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4188 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4188 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4188 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4896 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4896 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4896 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4896 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4896 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4896 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 468 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 468 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 468 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4896 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\dc8b89d9ec.exe
PID 4896 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\dc8b89d9ec.exe
PID 4896 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\dc8b89d9ec.exe
PID 4896 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\fa83e7a334.exe
PID 4896 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\fa83e7a334.exe
PID 4896 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\fa83e7a334.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe

"C:\Users\Admin\AppData\Local\Temp\63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\dc8b89d9ec.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\dc8b89d9ec.exe"

C:\Users\Admin\1000017002\fa83e7a334.exe

"C:\Users\Admin\1000017002\fa83e7a334.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Network

Country Destination Domain Proto
RU 5.42.96.141:80 5.42.96.141 tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
RU 5.42.96.7:80 5.42.96.7 tcp

Files

memory/4188-0-0x0000000000B20000-0x000000000104E000-memory.dmp

memory/4188-1-0x0000000000B20000-0x000000000104E000-memory.dmp

memory/4188-2-0x0000000000B20000-0x000000000104E000-memory.dmp

memory/4188-5-0x0000000000B20000-0x000000000104E000-memory.dmp

memory/4188-6-0x0000000000B20000-0x000000000104E000-memory.dmp

memory/4188-7-0x0000000000B20000-0x000000000104E000-memory.dmp

memory/4188-4-0x0000000000B20000-0x000000000104E000-memory.dmp

memory/4188-3-0x0000000000B20000-0x000000000104E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 0d67b20d2a7d20ca1bc5d845f4428e7e
SHA1 7ac5f1a6bb3cb3c12df495dc601acb491700cb9b
SHA256 63572ab980d738da124d7c6403cd8ecc5c75fb8ab052dea2c7651b4418a30a60
SHA512 82afa9fc6cadfb92c3db80a59c611874c8e648814786e78ecb828494d92562fc4f9c85b55439305553b65247bedbc47c7ac2509a69e062a415a2306ba617e05b

memory/4896-23-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/4896-25-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/4896-24-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/4896-22-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/4188-20-0x0000000000B20000-0x000000000104E000-memory.dmp

memory/4896-21-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/4896-28-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/4896-27-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/4896-26-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/4896-31-0x00000000004D0000-0x00000000009FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 8002b0315b11e653bcd1da3f5d46ddec
SHA1 5f4213955ba928cd3c9b9789e666dac6c560045f
SHA256 9c2a0965568f51d317ee1c2eb9bdb12cb39ff4e0c3853b9d526cd208d6f6229b
SHA512 51af13e4158b7930d8eba08558e51e488c3c071319b3bc2f6b2c6d756d92d7857cd0c82e5ca4c24df0ad25950ee3de450d2e9fc050f3413ea1ae974ceb6e7e8d

memory/468-46-0x0000000000A60000-0x0000000000F11000-memory.dmp

memory/468-48-0x00000000779E6000-0x00000000779E8000-memory.dmp

memory/468-61-0x0000000000A60000-0x0000000000F11000-memory.dmp

memory/1556-62-0x0000000000870000-0x0000000000D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\dc8b89d9ec.exe

MD5 035744987f3bf0c3b8d0dbb5acf38db0
SHA1 e3e3b27cda9421a56bf75365b4e7468fc80e0148
SHA256 9bfb67d9d1ed8687c58ed60cd63c10ad146c8b6caea7fcca693281118697da35
SHA512 740cc54d9d4c73da092d5b13d817843c565880427310f069715e105166d602063b2df7e8d79b5cfb9d2399802003d851e91e156895b763750367fa087ab6b1ca

memory/1008-81-0x0000000000BA0000-0x0000000001237000-memory.dmp

memory/1008-84-0x0000000000BA0000-0x0000000001237000-memory.dmp

memory/1008-85-0x0000000000BA0000-0x0000000001237000-memory.dmp

memory/1008-82-0x0000000000BA0000-0x0000000001237000-memory.dmp

memory/1008-83-0x0000000000BA0000-0x0000000001237000-memory.dmp

memory/1008-86-0x0000000000BA0000-0x0000000001237000-memory.dmp

memory/1008-88-0x0000000000BA0000-0x0000000001237000-memory.dmp

memory/1008-87-0x0000000000BA0000-0x0000000001237000-memory.dmp

memory/1008-89-0x0000000000BA0000-0x0000000001237000-memory.dmp

memory/4896-106-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/3192-107-0x00000000000F0000-0x00000000005A1000-memory.dmp

memory/4896-105-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/3192-109-0x00000000000F0000-0x00000000005A1000-memory.dmp

memory/1556-110-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/1008-112-0x0000000000BA0000-0x0000000001237000-memory.dmp

memory/1556-113-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/1556-116-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/1556-117-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/4032-121-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/3204-126-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/3204-130-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/3204-129-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/3204-127-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/3204-128-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/3204-124-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/3204-123-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/3204-131-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/4032-133-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/1556-134-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/1556-137-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/1556-140-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/1556-143-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/1556-146-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/1556-149-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/872-153-0x0000000000870000-0x0000000000D21000-memory.dmp

memory/664-155-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/664-157-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/664-164-0x00000000004D0000-0x00000000009FE000-memory.dmp

memory/872-166-0x0000000000870000-0x0000000000D21000-memory.dmp