amadey | b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160

Analysis

max time kernel
147s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe
Size

1.8MB
MD5

4296e99064ff80e04fe93c8c3236f217
SHA1

16aaa5afdae382df0af5fff0bb0ace09ed2f06eb
SHA256

b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160
SHA512

049511733e0dd2aa0b1df0df214f0c8c4ef68ad98e06dc5be847c1f2509d270d36e84883c7ce3af47b40ef605802e2a4fbbc3c52ff0390709da45a87eb8b1f94
SSDEEP

49152:sTxVE8ysSnlZHIPWhlFHuNcIr766+bYvRGjm61xY:CxXGbhlxumIP6VYS1xY

Score

10^/10

amadey risepro evasion persistence spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.141

http://5.42.96.7

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorku.exeexplorku.exeb06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exeexplorku.exeaxplons.exeaxplons.exeamers.exeaxplons.exe1b79175f97.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1b79175f97.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exeexplorku.exeamers.exe1b79175f97.exeexplorku.exeexplorku.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1b79175f97.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1b79175f97.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exeexplorku.exeamers.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	explorku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	amers.exe

Executes dropped EXE 9 IoCs

Processes:

explorku.exeamers.exeaxplons.exe1b79175f97.exeinstaller.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exe

pid process

2296 explorku.exe
4880 amers.exe
2504 axplons.exe
3612 1b79175f97.exe
2240 installer.exe
1792 axplons.exe
3956 explorku.exe
4888 axplons.exe
1268 explorku.exe

pid	process
2296	explorku.exe
4880	amers.exe
2504	axplons.exe
3612	1b79175f97.exe
2240	installer.exe
1792	axplons.exe
3956	explorku.exe
4888	axplons.exe
1268	explorku.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amers.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 45 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1392-0-0x00000000001A0000-0x0000000000700000-memory.dmp	themida
behavioral1/memory/1392-1-0x00000000001A0000-0x0000000000700000-memory.dmp	themida
behavioral1/memory/1392-2-0x00000000001A0000-0x0000000000700000-memory.dmp	themida
behavioral1/memory/1392-4-0x00000000001A0000-0x0000000000700000-memory.dmp	themida
behavioral1/memory/1392-6-0x00000000001A0000-0x0000000000700000-memory.dmp	themida
behavioral1/memory/1392-7-0x00000000001A0000-0x0000000000700000-memory.dmp	themida
behavioral1/memory/1392-5-0x00000000001A0000-0x0000000000700000-memory.dmp	themida
behavioral1/memory/1392-3-0x00000000001A0000-0x0000000000700000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe	themida
behavioral1/memory/1392-20-0x00000000001A0000-0x0000000000700000-memory.dmp	themida
behavioral1/memory/2296-21-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/2296-24-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/2296-28-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/2296-27-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/2296-26-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/2296-25-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/2296-22-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/2296-23-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
C:\Users\Admin\1000006002\1b79175f97.exe	themida
behavioral1/memory/3612-81-0x0000000000C90000-0x0000000001313000-memory.dmp	themida
behavioral1/memory/2296-80-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/3612-83-0x0000000000C90000-0x0000000001313000-memory.dmp	themida
behavioral1/memory/3612-82-0x0000000000C90000-0x0000000001313000-memory.dmp	themida
behavioral1/memory/3612-84-0x0000000000C90000-0x0000000001313000-memory.dmp	themida
behavioral1/memory/3612-85-0x0000000000C90000-0x0000000001313000-memory.dmp	themida
behavioral1/memory/3612-86-0x0000000000C90000-0x0000000001313000-memory.dmp	themida
behavioral1/memory/3612-89-0x0000000000C90000-0x0000000001313000-memory.dmp	themida
behavioral1/memory/3612-87-0x0000000000C90000-0x0000000001313000-memory.dmp	themida
behavioral1/memory/3612-88-0x0000000000C90000-0x0000000001313000-memory.dmp	themida
behavioral1/memory/2296-123-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/3612-125-0x0000000000C90000-0x0000000001313000-memory.dmp	themida
behavioral1/memory/3956-234-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/3956-235-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/3956-233-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/3956-232-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/3956-237-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/3956-238-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/3956-236-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/3956-239-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/3956-241-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/1268-268-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/1268-267-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/1268-266-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/1268-270-0x0000000000460000-0x00000000009C0000-memory.dmp	themida
behavioral1/memory/1268-276-0x0000000000460000-0x00000000009C0000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorku.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1b79175f97.exe = "C:\\Users\\Admin\\1000006002\\1b79175f97.exe"	explorku.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

explorku.exeexplorku.exeb06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exeexplorku.exe1b79175f97.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1b79175f97.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

amers.exeaxplons.exeaxplons.exeaxplons.exe

pid process

4880 amers.exe
2504 axplons.exe
1792 axplons.exe
4888 axplons.exe
Drops file in Windows directory 2 IoCs

Processes:

b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exeamers.exe

description ioc process

File created C:\Windows\Tasks\explorku.job b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe
File created C:\Windows\Tasks\axplons.job amers.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

amers.exeaxplons.exeinstaller.exeaxplons.exeaxplons.exe

pid process

4880 amers.exe
4880 amers.exe
2504 axplons.exe
2504 axplons.exe
2240 installer.exe
1792 axplons.exe
1792 axplons.exe
2240 installer.exe
4888 axplons.exe
4888 axplons.exe
2240 installer.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

installer.exe

description pid process

Token: SeDebugPrivilege 2240 installer.exe

flow	ioc
27	ip-api.com

pid	process
4880	amers.exe
2504	axplons.exe
1792	axplons.exe
4888	axplons.exe

description	ioc	process
File created	C:\Windows\Tasks\explorku.job	b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

pid	process
4880	amers.exe
4880	amers.exe
2504	axplons.exe
2504	axplons.exe
2240	installer.exe
1792	axplons.exe
1792	axplons.exe
2240	installer.exe
4888	axplons.exe
4888	axplons.exe
2240	installer.exe

description	pid	process
Token: SeDebugPrivilege	2240	installer.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exeexplorku.exeamers.exe

description	pid	process	target process
PID 1392 wrote to memory of 2296	1392	b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe	explorku.exe
PID 1392 wrote to memory of 2296	1392	b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe	explorku.exe
PID 1392 wrote to memory of 2296	1392	b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe	explorku.exe
PID 2296 wrote to memory of 1572	2296	explorku.exe	explorku.exe
PID 2296 wrote to memory of 1572	2296	explorku.exe	explorku.exe
PID 2296 wrote to memory of 1572	2296	explorku.exe	explorku.exe
PID 2296 wrote to memory of 4880	2296	explorku.exe	amers.exe
PID 2296 wrote to memory of 4880	2296	explorku.exe	amers.exe
PID 2296 wrote to memory of 4880	2296	explorku.exe	amers.exe
PID 4880 wrote to memory of 2504	4880	amers.exe	axplons.exe
PID 4880 wrote to memory of 2504	4880	amers.exe	axplons.exe
PID 4880 wrote to memory of 2504	4880	amers.exe	axplons.exe
PID 2296 wrote to memory of 3612	2296	explorku.exe	1b79175f97.exe
PID 2296 wrote to memory of 3612	2296	explorku.exe	1b79175f97.exe
PID 2296 wrote to memory of 3612	2296	explorku.exe	1b79175f97.exe
PID 2296 wrote to memory of 2240	2296	explorku.exe	installer.exe
PID 2296 wrote to memory of 2240	2296	explorku.exe	installer.exe

C:\Users\Admin\AppData\Local\Temp\b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe
"C:\Users\Admin\AppData\Local\Temp\b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
3⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2504

C:\Users\Admin\1000006002\1b79175f97.exe
"C:\Users\Admin\1000006002\1b79175f97.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3612

C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3956

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000006002\1b79175f97.exe
Filesize
2.1MB

MD5
bdb4ffe3e6b1c429910cbbb509b01f9a

SHA1
8bd1903eb55c60387b7ddc68cf352a6055762f63

SHA256
15b3713c716478efade6a9354b3993ad8196922d173ef307b42cf7f55b013b61

SHA512
9331b11b726718606912702051e3fa3627cc53f4de16ff4b26c0c454fdf39163a59f09ef4e0f05b1826a99c5d5e0c0ae3a5a45cfce426543411f5a64cbb72275

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
Filesize
1.8MB

MD5
2d9c768a86b095245fb4d8b38343c18d

SHA1
9ab00ec0ddddc90e5901431d72f6b75c7d3a36a4

SHA256
e33753b6793acf93108ee09e792fcde82671fc7bae5c384c5e052f74c500f7b4

SHA512
96473c52f8b81e8f71708d5519f96fb108a3b6c864aaa33b714cd0d3eff64d221d64e8d36bc2ea39e15881e631a2cb41cdf75453a6b598c9e48fd5d1dd2fc15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe
Filesize
621KB

MD5
611a4246c5aabf1594344d7bd3fccb4c

SHA1
cf0e6b3ecb479a8bdb7421090ecc89148db9f83b

SHA256
aa34e0bb1a7400fd7430922307c36441290730d07f48f982f01d4bad2fde3d0e

SHA512
0daff7de219bcc38ddc8ddf261993b6e870605fbf6ec194e08651b293008a8a42c0c13780482f7fc45e3a5f509b644430311cb382be632075544e61dc63fe23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
Filesize
1.8MB

MD5
4296e99064ff80e04fe93c8c3236f217

SHA1
16aaa5afdae382df0af5fff0bb0ace09ed2f06eb

SHA256
b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160

SHA512
049511733e0dd2aa0b1df0df214f0c8c4ef68ad98e06dc5be847c1f2509d270d36e84883c7ce3af47b40ef605802e2a4fbbc3c52ff0390709da45a87eb8b1f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45bikmpi.brl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1268-276-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/1268-268-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/1268-267-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/1268-266-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/1268-270-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/1392-3-0x00000000001A0000-0x0000000000700000-memory.dmp

Filesize
5.4MB

Download
memory/1392-2-0x00000000001A0000-0x0000000000700000-memory.dmp

Filesize
5.4MB

Download
memory/1392-5-0x00000000001A0000-0x0000000000700000-memory.dmp

Filesize
5.4MB

Download
memory/1392-7-0x00000000001A0000-0x0000000000700000-memory.dmp

Filesize
5.4MB

Download
memory/1392-6-0x00000000001A0000-0x0000000000700000-memory.dmp

Filesize
5.4MB

Download
memory/1392-20-0x00000000001A0000-0x0000000000700000-memory.dmp

Filesize
5.4MB

Download
memory/1392-1-0x00000000001A0000-0x0000000000700000-memory.dmp

Filesize
5.4MB

Download
memory/1392-0-0x00000000001A0000-0x0000000000700000-memory.dmp

Filesize
5.4MB

Download
memory/1392-4-0x00000000001A0000-0x0000000000700000-memory.dmp

Filesize
5.4MB

Download
memory/1792-243-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/1792-231-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2240-122-0x000000001CF10000-0x000000001CF2C000-memory.dmp

Filesize
112KB

Download
memory/2240-121-0x000000001CBE0000-0x000000001CDA2000-memory.dmp

Filesize
1.8MB

Download
memory/2240-120-0x000000001CF40000-0x000000001D468000-memory.dmp

Filesize
5.2MB

Download
memory/2240-132-0x000000001B530000-0x000000001B542000-memory.dmp

Filesize
72KB

Download
memory/2240-119-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/2240-118-0x0000000000E50000-0x0000000000E72000-memory.dmp

Filesize
136KB

Download
memory/2240-108-0x0000000000440000-0x00000000004E2000-memory.dmp

Filesize
648KB

Download
memory/2296-23-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/2296-123-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/2296-21-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/2296-24-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/2296-28-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/2296-27-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/2296-26-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/2296-25-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/2296-22-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/2296-80-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/2504-250-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2504-255-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2504-61-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2504-262-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2504-259-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2504-124-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2504-248-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2504-127-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2504-130-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2504-131-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/2504-245-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/3612-88-0x0000000000C90000-0x0000000001313000-memory.dmp

Filesize
6.5MB

Download
memory/3612-89-0x0000000000C90000-0x0000000001313000-memory.dmp

Filesize
6.5MB

Download
memory/3612-82-0x0000000000C90000-0x0000000001313000-memory.dmp

Filesize
6.5MB

Download
memory/3612-86-0x0000000000C90000-0x0000000001313000-memory.dmp

Filesize
6.5MB

Download
memory/3612-87-0x0000000000C90000-0x0000000001313000-memory.dmp

Filesize
6.5MB

Download
memory/3612-84-0x0000000000C90000-0x0000000001313000-memory.dmp

Filesize
6.5MB

Download
memory/3612-83-0x0000000000C90000-0x0000000001313000-memory.dmp

Filesize
6.5MB

Download
memory/3612-81-0x0000000000C90000-0x0000000001313000-memory.dmp

Filesize
6.5MB

Download
memory/3612-125-0x0000000000C90000-0x0000000001313000-memory.dmp

Filesize
6.5MB

Download
memory/3612-85-0x0000000000C90000-0x0000000001313000-memory.dmp

Filesize
6.5MB

Download
memory/3956-238-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/3956-237-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/3956-235-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/3956-241-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/3956-239-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/3956-236-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/3956-233-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/3956-232-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/3956-234-0x0000000000460000-0x00000000009C0000-memory.dmp

Filesize
5.4MB

Download
memory/4880-46-0x0000000000A50000-0x0000000000F10000-memory.dmp

Filesize
4.8MB

Download
memory/4880-47-0x0000000077BE4000-0x0000000077BE6000-memory.dmp

Filesize
8KB

Download
memory/4880-60-0x0000000000A50000-0x0000000000F10000-memory.dmp

Filesize
4.8MB

Download
memory/4888-269-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download
memory/4888-278-0x0000000000EA0000-0x0000000001360000-memory.dmp

Filesize
4.8MB

Download