Malware Analysis Report

2025-04-03 09:09

Sample ID 250224-rceq8awlz4
Target 4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe
SHA256 4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1
Tags
amadey systembc a4d2cd defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1

Threat Level: Known bad

The file 4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc a4d2cd defense_evasion discovery trojan

Amadey family

Systembc family

Amadey

SystemBC

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-24 14:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-24 14:02

Reported

2025-02-24 14:05

Platform

win7-20241010-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\kttmica\vckqbi.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\kttmica\vckqbi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\kttmica\vckqbi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\ProgramData\kttmica\vckqbi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kttmica\vckqbi.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2220 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2220 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2220 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2888 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
PID 2888 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
PID 2888 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
PID 2888 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
PID 764 wrote to memory of 2524 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kttmica\vckqbi.exe
PID 764 wrote to memory of 2524 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kttmica\vckqbi.exe
PID 764 wrote to memory of 2524 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kttmica\vckqbi.exe
PID 764 wrote to memory of 2524 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kttmica\vckqbi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe

"C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

"C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2976F77F-1AA9-422C-B30D-3CDFF700DBD3} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]

C:\ProgramData\kttmica\vckqbi.exe

C:\ProgramData\kttmica\vckqbi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 185.198.234.185:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp

Files

memory/2220-0-0x0000000001140000-0x00000000015F4000-memory.dmp

memory/2220-1-0x0000000077E80000-0x0000000077E82000-memory.dmp

memory/2220-2-0x0000000001141000-0x00000000011AD000-memory.dmp

memory/2220-3-0x0000000001140000-0x00000000015F4000-memory.dmp

memory/2220-5-0x0000000001140000-0x00000000015F4000-memory.dmp

memory/2220-10-0x0000000001140000-0x00000000015F4000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 ebc28b4636ffb2ccd31c069fe4e3153e
SHA1 1123d1a5af8b311e66164a4eb9a4a5abf671f47a
SHA256 4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1
SHA512 f3d714acb0462b6bc3736fb5349bfab0b76fec39da7934cc79ac8decc8a7fb464afb9e1ac915f96595537ef5e3c803b4a0a31d6a904d0b7233ff160226960e0f

memory/2220-19-0x0000000001140000-0x00000000015F4000-memory.dmp

memory/2220-20-0x0000000001141000-0x00000000011AD000-memory.dmp

memory/2888-21-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-22-0x0000000000811000-0x000000000087D000-memory.dmp

memory/2888-23-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-24-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-26-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2220-27-0x0000000001140000-0x00000000015F4000-memory.dmp

memory/2888-28-0x0000000000810000-0x0000000000CC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

MD5 274e03a760416785c681994bfa98e24e
SHA1 c26fefa40d7a7d4e2f60d897e82ad7d61fe0bd0f
SHA256 7a0d83bca0efdc31aacf6c598618eb95fdba5ea8dff69e549c87c10cd0d54032
SHA512 f6302e4cbba0e77b77668fc0e44be019eec97b54f5fee3c90011ed1d7bf61ae7e0c934cc983c56000e3dd8297134bdc83df44b9ef965844b57fbed2c279093ec

memory/2888-36-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-38-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-37-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-41-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-42-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-43-0x0000000000810000-0x0000000000CC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

MD5 9d6f03d5a83f9ab0de52c69257720122
SHA1 407ce825de553f856059543cb20c2002f4b2b87d
SHA256 ab2c3bb1cf80ccd63b4e1be5b2aef4564542465e90f14e5110775658c6b7b9c6
SHA512 d937cb2599dd9a245e186a3f3d0efb786f9fbf5084c14878448f7454f175dc076d9af526a0f5ae24f75370247c70ae6e4f310d6d610f6ed4fdb2877b9c9468db

memory/2888-54-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-59-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-61-0x0000000006630000-0x0000000006A90000-memory.dmp

memory/2888-63-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-66-0x0000000006630000-0x0000000006A90000-memory.dmp

memory/2888-65-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-64-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/1268-62-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-60-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-58-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-57-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-56-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-55-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-46-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-44-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2888-39-0x0000000000811000-0x000000000087D000-memory.dmp

memory/2888-70-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/1268-72-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-71-0x0000000006630000-0x0000000006A90000-memory.dmp

memory/2888-74-0x0000000006630000-0x0000000006A90000-memory.dmp

memory/1268-73-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-75-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/1268-76-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-77-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/1268-78-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-79-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/1268-80-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-81-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/1268-82-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-83-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2524-87-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1268-86-0x0000000000400000-0x0000000000860000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 9cc93b48a8522a52d72db149d48fd7c8
SHA1 079281f133457c536c0e078436ff393737db1f67
SHA256 ec13391c9ebde04c0bb68c429cb7bdd90da41bb0a091618e2d0cbb0fdce02597
SHA512 5bc4c87cdd8d480b32e3b1b3eef07c4f307af87f69b0d1c91fbba0a6ff050324751e8d459c2d72b9a90d8508e41c02818cab7d585862ed3c4938a86c1ce3a618

memory/1268-90-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-91-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2524-93-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2524-92-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-94-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2524-95-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-96-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2524-97-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-98-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2524-99-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-100-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2524-101-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-102-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2524-103-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2888-104-0x0000000000810000-0x0000000000CC4000-memory.dmp

memory/2524-105-0x0000000000400000-0x0000000000860000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-24 14:02

Reported

2025-02-24 14:05

Platform

win10ltsc2021-20250217-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\twfane\vciqbmu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\twfane\vciqbmu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\twfane\vciqbmu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Wine C:\ProgramData\twfane\vciqbmu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\twfane\vciqbmu.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe

"C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

"C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\ProgramData\twfane\vciqbmu.exe

"C:\ProgramData\twfane\vciqbmu.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 185.198.234.185:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp

Files

memory/4376-0-0x0000000000780000-0x0000000000C34000-memory.dmp

memory/4376-1-0x0000000077295000-0x0000000077297000-memory.dmp

memory/4376-2-0x0000000000781000-0x00000000007ED000-memory.dmp

memory/4376-3-0x0000000000780000-0x0000000000C34000-memory.dmp

memory/4376-5-0x0000000000780000-0x0000000000C34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 ebc28b4636ffb2ccd31c069fe4e3153e
SHA1 1123d1a5af8b311e66164a4eb9a4a5abf671f47a
SHA256 4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1
SHA512 f3d714acb0462b6bc3736fb5349bfab0b76fec39da7934cc79ac8decc8a7fb464afb9e1ac915f96595537ef5e3c803b4a0a31d6a904d0b7233ff160226960e0f

memory/3312-8-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/4376-9-0x0000000000780000-0x0000000000C34000-memory.dmp

memory/4376-10-0x0000000000781000-0x00000000007ED000-memory.dmp

memory/3312-11-0x0000000000A81000-0x0000000000AED000-memory.dmp

memory/3312-12-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3312-13-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3312-14-0x0000000000A80000-0x0000000000F34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

MD5 bd6a9d5ffd2bad77a792a14ab8f2775f
SHA1 9494a453e67cce126bbad031b33325e17deaf374
SHA256 f610afd2849e89b2b04d2bdca5b33211be65081e94a5207cc51e4e0cb1c0d498
SHA512 6cd104bf357c61374dde38dce2664a8101b051a9ba47379b762290022a20bbfe00d4f99e2a1d685f81718305b3b6c63fd70d20d46bc1963b737fb6d1ed7efc42

memory/3312-22-0x0000000000A80000-0x0000000000F34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

MD5 9d6f03d5a83f9ab0de52c69257720122
SHA1 407ce825de553f856059543cb20c2002f4b2b87d
SHA256 ab2c3bb1cf80ccd63b4e1be5b2aef4564542465e90f14e5110775658c6b7b9c6
SHA512 d937cb2599dd9a245e186a3f3d0efb786f9fbf5084c14878448f7454f175dc076d9af526a0f5ae24f75370247c70ae6e4f310d6d610f6ed4fdb2877b9c9468db

memory/3312-33-0x0000000000A81000-0x0000000000AED000-memory.dmp

memory/3312-36-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3312-35-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3312-39-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3312-41-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3696-43-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-42-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3312-38-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3312-37-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3312-40-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3312-44-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3312-45-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3696-46-0x0000000000401000-0x0000000000403000-memory.dmp

memory/3696-47-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3696-50-0x0000000000400000-0x0000000000860000-memory.dmp

memory/4564-51-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1648-53-0x0000000000400000-0x0000000000860000-memory.dmp

memory/4564-55-0x0000000000A80000-0x0000000000F34000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 e50673e9bad34f771e8343b87767119c
SHA1 9e00a2469c27f7ddaf0451ab68ffceb7b07799c9
SHA256 1d7e37b8eb5eff3167caf2cde449909c0188316c817bf16dd5e6650e6676643e
SHA512 dbb39625c0a7d8843695f1e8273b0ad6e619209eaa4645523a55392b75d32b78f9dbe6fa9cc7925de017f13aa09ed1e1102b565975491e9bd7b794aa20ed0ea8

memory/3696-57-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-58-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3696-60-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1648-61-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1648-62-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-63-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3696-64-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1648-65-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-66-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3696-67-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1648-68-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-69-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3696-70-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1648-71-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-72-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3696-73-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1648-74-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-75-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/3696-76-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3696-77-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1496-79-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1648-80-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-81-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1648-82-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-83-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1648-84-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-85-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1648-86-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-87-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1648-88-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-89-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1648-90-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-91-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/2516-93-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1648-94-0x0000000000400000-0x0000000000860000-memory.dmp

memory/3312-95-0x0000000000A80000-0x0000000000F34000-memory.dmp

memory/1648-96-0x0000000000400000-0x0000000000860000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-24 14:02

Reported

2025-02-24 14:05

Platform

win11-20250217-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\jtgte\rhgh.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\jtgte\rhgh.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\jtgte\rhgh.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Wine C:\ProgramData\jtgte\rhgh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\jtgte\rhgh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe

"C:\Users\Admin\AppData\Local\Temp\4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

"C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\jtgte\rhgh.exe

C:\ProgramData\jtgte\rhgh.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 185.198.234.185:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp

Files

memory/3364-0-0x0000000000C90000-0x0000000001144000-memory.dmp

memory/3364-1-0x0000000077566000-0x0000000077568000-memory.dmp

memory/3364-2-0x0000000000C91000-0x0000000000CFD000-memory.dmp

memory/3364-3-0x0000000000C90000-0x0000000001144000-memory.dmp

memory/3364-4-0x0000000000C90000-0x0000000001144000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 ebc28b4636ffb2ccd31c069fe4e3153e
SHA1 1123d1a5af8b311e66164a4eb9a4a5abf671f47a
SHA256 4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1
SHA512 f3d714acb0462b6bc3736fb5349bfab0b76fec39da7934cc79ac8decc8a7fb464afb9e1ac915f96595537ef5e3c803b4a0a31d6a904d0b7233ff160226960e0f

memory/3364-17-0x0000000000C91000-0x0000000000CFD000-memory.dmp

memory/3364-16-0x0000000000C90000-0x0000000001144000-memory.dmp

memory/1992-19-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-20-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-21-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-22-0x0000000000830000-0x0000000000CE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

MD5 bd6a9d5ffd2bad77a792a14ab8f2775f
SHA1 9494a453e67cce126bbad031b33325e17deaf374
SHA256 f610afd2849e89b2b04d2bdca5b33211be65081e94a5207cc51e4e0cb1c0d498
SHA512 6cd104bf357c61374dde38dce2664a8101b051a9ba47379b762290022a20bbfe00d4f99e2a1d685f81718305b3b6c63fd70d20d46bc1963b737fb6d1ed7efc42

memory/1992-30-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-32-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-35-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-37-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-36-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-34-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-33-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-31-0x0000000000830000-0x0000000000CE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe

MD5 9d6f03d5a83f9ab0de52c69257720122
SHA1 407ce825de553f856059543cb20c2002f4b2b87d
SHA256 ab2c3bb1cf80ccd63b4e1be5b2aef4564542465e90f14e5110775658c6b7b9c6
SHA512 d937cb2599dd9a245e186a3f3d0efb786f9fbf5084c14878448f7454f175dc076d9af526a0f5ae24f75370247c70ae6e4f310d6d610f6ed4fdb2877b9c9468db

memory/2892-47-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-46-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/2892-51-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-49-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1992-48-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/1872-54-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-57-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1872-59-0x0000000000830000-0x0000000000CE4000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 b06512d9a44738a0fcb1411ce1baad7c
SHA1 36a988f032afd7c05a902890b9d2cf1164a283d7
SHA256 e1da12b9c3152c7ef08b67a91a5c37dc0479d2684b729a7f844046f428e856ff
SHA512 0c7e6d9f6bd8f1631c2dadeb87f37d3817f8d57e59df3ae201ff228957b361485490a319219904f873a6f54e37026cc69e4037b209d0710234c47effe3e7a2df

memory/2892-61-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2892-62-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2892-64-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-63-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-66-0x0000000000400000-0x0000000000860000-memory.dmp

memory/4180-65-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2892-68-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-67-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-69-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-70-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/2892-71-0x0000000000400000-0x0000000000860000-memory.dmp

memory/4180-72-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-73-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/2892-74-0x0000000000400000-0x0000000000860000-memory.dmp

memory/4180-75-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-76-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/2892-77-0x0000000000400000-0x0000000000860000-memory.dmp

memory/4180-78-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-79-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/2892-80-0x0000000000400000-0x0000000000860000-memory.dmp

memory/2892-82-0x0000000000400000-0x0000000000860000-memory.dmp

memory/4404-85-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-86-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-87-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-88-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-89-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-90-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-91-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-92-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-93-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-94-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-95-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-96-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-97-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/3900-99-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-100-0x0000000000400000-0x0000000000860000-memory.dmp

memory/1992-101-0x0000000000830000-0x0000000000CE4000-memory.dmp

memory/4180-102-0x0000000000400000-0x0000000000860000-memory.dmp