Malware Analysis Report

2025-04-03 09:35

Sample ID 250226-kzjv5atlt2
Target f75ad0aa5397c534ba69c40f736f6e11.exe
SHA256 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221
Tags
amadey systembc a4d2cd defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221

Threat Level: Known bad

The file f75ad0aa5397c534ba69c40f736f6e11.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc a4d2cd defense_evasion discovery trojan

Amadey

Amadey family

SystemBC

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-26 09:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-26 09:02

Reported

2025-02-26 09:04

Platform

win7-20240903-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\nxkal\xvwes.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\nxkal\xvwes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\nxkal\xvwes.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
N/A N/A C:\ProgramData\nxkal\xvwes.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\ProgramData\nxkal\xvwes.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
N/A N/A C:\ProgramData\nxkal\xvwes.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\10000200102\ssystemfiktums.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\nxkal\xvwes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1640 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1640 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1640 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 824 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\10000200102\ssystemfiktums.exe
PID 824 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\10000200102\ssystemfiktums.exe
PID 824 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\10000200102\ssystemfiktums.exe
PID 824 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\10000200102\ssystemfiktums.exe
PID 2708 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nxkal\xvwes.exe
PID 2708 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nxkal\xvwes.exe
PID 2708 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nxkal\xvwes.exe
PID 2708 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nxkal\xvwes.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe

"C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\10000200102\ssystemfiktums.exe

"C:\Users\Admin\10000200102\ssystemfiktums.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {471D8BD9-4AC0-4812-95A7-EB6BA85C4613} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]

C:\ProgramData\nxkal\xvwes.exe

C:\ProgramData\nxkal\xvwes.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5113 towerbingobongoboom.com tcp

Files

memory/1640-0-0x0000000000F50000-0x0000000001418000-memory.dmp

memory/1640-2-0x0000000000F51000-0x0000000000F7F000-memory.dmp

memory/1640-3-0x0000000000F50000-0x0000000001418000-memory.dmp

memory/1640-1-0x0000000077B50000-0x0000000077B52000-memory.dmp

memory/1640-5-0x0000000000F50000-0x0000000001418000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 f75ad0aa5397c534ba69c40f736f6e11
SHA1 294190bb853c05c9603faab7cdc40b01c0e844a4
SHA256 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221
SHA512 7585ea3d3cfdab7e601792e5ff8441a2719f5cbb09077b4a3c1919f6b997fd583d5eb555c0afb623114f36f2aa035a45cfb2db7486b4f5a168651a1661bdc8bf

memory/1640-20-0x0000000006DA0000-0x0000000007268000-memory.dmp

memory/824-21-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/1640-18-0x0000000000F50000-0x0000000001418000-memory.dmp

memory/1640-9-0x0000000000F50000-0x0000000001418000-memory.dmp

memory/824-22-0x0000000000221000-0x000000000024F000-memory.dmp

memory/824-23-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/824-25-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/824-26-0x0000000000220000-0x00000000006E8000-memory.dmp

C:\Users\Admin\10000200102\ssystemfiktums.exe

MD5 f398330ff76c75dbaffe5c18078c35e5
SHA1 97c7b2fa744cdf86ce74322f0a683b260e21d188
SHA256 81adc7b98a97b77b6259fe66d9f5919ad55de88ff242637de023ee856a095699
SHA512 69768f2338ceff5e0872ef066201a3b06ad30b31138524d62943982d67dd046a8cd2051a9730a8e81ea93404fddd734fa1c6cab8ccb5689fd343572604c8cb8c

memory/824-43-0x0000000006B20000-0x0000000006F66000-memory.dmp

memory/824-44-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/824-45-0x0000000006B20000-0x0000000006F66000-memory.dmp

memory/824-47-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2496-46-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-42-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/824-52-0x0000000006B20000-0x0000000006F66000-memory.dmp

memory/824-54-0x0000000006B20000-0x0000000006F66000-memory.dmp

memory/2496-55-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2496-53-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-56-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2496-57-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-58-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2496-59-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-60-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-63-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 f0ddb0cb45a2d45821729e839aa28392
SHA1 6b59901f93912101a96bc315a5661edf0e6ecdaa
SHA256 95dca4ee10420f665d17167b6cf261cd00f86fb037078d046ef2f55d38f31f2d
SHA512 2917288da6d2157935bf77745e735e3958e78df5f43afcd4747b35c4cc9ae6b0e98fa50b0851c756ab2db44f89b93819a5789fc453617e2c9878fd854502b725

memory/2496-65-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-66-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-67-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2676-68-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2496-69-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-70-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-71-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2496-72-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2496-73-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-74-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-75-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-76-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-77-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-78-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-79-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-80-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-81-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-82-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-83-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-84-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-85-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-86-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-87-0x0000000000400000-0x0000000000846000-memory.dmp

memory/824-88-0x0000000000220000-0x00000000006E8000-memory.dmp

memory/2676-89-0x0000000000400000-0x0000000000846000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-26 09:02

Reported

2025-02-26 09:04

Platform

win10v2004-20250217-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\axqbvg\hmtpk.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\axqbvg\hmtpk.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\axqbvg\hmtpk.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\ProgramData\axqbvg\hmtpk.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\10000200102\ssystemfiktums.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\axqbvg\hmtpk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe

"C:\Users\Admin\AppData\Local\Temp\f75ad0aa5397c534ba69c40f736f6e11.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\10000200102\ssystemfiktums.exe

"C:\Users\Admin\10000200102\ssystemfiktums.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\axqbvg\hmtpk.exe

C:\ProgramData\axqbvg\hmtpk.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5418 towerbingobongoboom.com tcp

Files

memory/4416-0-0x0000000000270000-0x0000000000738000-memory.dmp

memory/4416-1-0x0000000077684000-0x0000000077686000-memory.dmp

memory/4416-2-0x0000000000271000-0x000000000029F000-memory.dmp

memory/4416-3-0x0000000000270000-0x0000000000738000-memory.dmp

memory/4416-4-0x0000000000270000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 f75ad0aa5397c534ba69c40f736f6e11
SHA1 294190bb853c05c9603faab7cdc40b01c0e844a4
SHA256 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221
SHA512 7585ea3d3cfdab7e601792e5ff8441a2719f5cbb09077b4a3c1919f6b997fd583d5eb555c0afb623114f36f2aa035a45cfb2db7486b4f5a168651a1661bdc8bf

memory/2856-17-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4416-18-0x0000000000270000-0x0000000000738000-memory.dmp

memory/2856-20-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/2856-19-0x0000000000FE1000-0x000000000100F000-memory.dmp

memory/2856-21-0x0000000000FE0000-0x00000000014A8000-memory.dmp

C:\Users\Admin\10000200102\ssystemfiktums.exe

MD5 f398330ff76c75dbaffe5c18078c35e5
SHA1 97c7b2fa744cdf86ce74322f0a683b260e21d188
SHA256 81adc7b98a97b77b6259fe66d9f5919ad55de88ff242637de023ee856a095699
SHA512 69768f2338ceff5e0872ef066201a3b06ad30b31138524d62943982d67dd046a8cd2051a9730a8e81ea93404fddd734fa1c6cab8ccb5689fd343572604c8cb8c

memory/3188-36-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-35-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/2856-38-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/3188-43-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3188-42-0x0000000000401000-0x0000000000403000-memory.dmp

memory/3188-41-0x0000000004930000-0x0000000004931000-memory.dmp

memory/3188-40-0x0000000004940000-0x0000000004941000-memory.dmp

memory/2856-45-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/3188-46-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3188-47-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-48-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/3188-49-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-50-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/3188-51-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-52-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/2616-54-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-57-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2616-59-0x0000000000FE0000-0x00000000014A8000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 dcd7be4276eb95a3a3c1eba22e9363b9
SHA1 cda6c72ed4992f1a12d5ed8d5fb87664874d7694
SHA256 bdca96bd5e4dfa2b77be59b96ced1588265c59d9e1a6c52fcb17164a8ad5ae75
SHA512 5ed8343d1347aa7b7958a2c0e9e84efa400479bbfd05d4ac1ab2f364812492bb8c00c1576a00a392ad01169f937d1279a540d3de9e9b35ce078dd6cde81effea

memory/3188-61-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-62-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-63-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3188-64-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-65-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-66-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3188-67-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3188-68-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-69-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-70-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-71-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-72-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-73-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-74-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-75-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/336-77-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/336-78-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-79-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-80-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-81-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-82-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-83-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-84-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-85-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2856-86-0x0000000000FE0000-0x00000000014A8000-memory.dmp

memory/4240-87-0x0000000000400000-0x0000000000846000-memory.dmp