Malware Analysis Report

2025-04-03 09:10

Sample ID 250227-cls8ms1sc1
Target 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
Tags
amadey systembc a4d2cd defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe

Threat Level: Known bad

The file 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc a4d2cd defense_evasion discovery trojan

Amadey family

SystemBC

Amadey

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 02:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 02:10

Reported

2025-02-27 02:12

Platform

win7-20250207-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\tdmxlek\vttonf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\tdmxlek\vttonf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\tdmxlek\vttonf.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine C:\ProgramData\tdmxlek\vttonf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\tdmxlek\vttonf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 860 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 860 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 860 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2244 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe
PID 2244 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe
PID 2244 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe
PID 2244 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe
PID 2624 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\tdmxlek\vttonf.exe
PID 2624 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\tdmxlek\vttonf.exe
PID 2624 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\tdmxlek\vttonf.exe
PID 2624 wrote to memory of 320 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\tdmxlek\vttonf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe

"C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

"C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {BF67A8E9-9297-482B-96E2-329D8347F6EA} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]

C:\ProgramData\tdmxlek\vttonf.exe

C:\ProgramData\tdmxlek\vttonf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5113 towerbingobongoboom.com tcp
US 142.250.176.14:80 142.250.176.14 tcp

Files

memory/860-0-0x0000000001310000-0x00000000017CD000-memory.dmp

memory/860-1-0x0000000077D50000-0x0000000077D52000-memory.dmp

memory/860-2-0x0000000001311000-0x000000000133F000-memory.dmp

memory/860-3-0x0000000001310000-0x00000000017CD000-memory.dmp

memory/860-5-0x0000000001310000-0x00000000017CD000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 e3db5749715032f09380e2b83170df85
SHA1 5eba9270b0a48ffda040d10e08aef49acbb4452d
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
SHA512 682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199

memory/860-19-0x0000000006BB0000-0x000000000706D000-memory.dmp

memory/2244-21-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/860-20-0x0000000006BB0000-0x000000000706D000-memory.dmp

memory/860-18-0x0000000001310000-0x00000000017CD000-memory.dmp

memory/2244-22-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2244-23-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2244-25-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2244-26-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2244-28-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2244-27-0x0000000001230000-0x00000000016ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

MD5 b5001d168ba5139846f2848c8e05a6ee
SHA1 080f353ab857f04ea65b78570bfa998d1e421ea2
SHA256 059e600a06b4b6671fa440728b932adff7d246441bf328fcc4a8e29d4df11a23
SHA512 d608f6f4ed7de73308ab7b231b343d5a832b2c0a68b0d0522d2df4c4a8cc15e12685b2ffcb8232b58b4c519979e4307179964fa4011752288f63f72090828143

memory/2244-47-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2244-46-0x0000000006C80000-0x00000000070FF000-memory.dmp

memory/2512-45-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-44-0x0000000006C80000-0x00000000070FF000-memory.dmp

memory/2244-51-0x0000000006C80000-0x00000000070FF000-memory.dmp

memory/2512-52-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-53-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2244-55-0x0000000006C80000-0x00000000070FF000-memory.dmp

memory/2512-54-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-56-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2512-57-0x0000000000400000-0x000000000087F000-memory.dmp

memory/320-60-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 eac54ccc9924117552d887e8465d76d8
SHA1 8b2de9fc9e5b7063c6c7f2cb5c9a146dfde861e0
SHA256 935ed62e2e1000812b4cea3f473272ace80de04828c283100e9566bd40810350
SHA512 6acb2bcbaec8f75d97e5afd7c23bdb6dd6a41d057b86cc83461126f3d492a404edc76ca8cac29538d017ddc0e64e6ac5275ce104134e7f10e9cb80504682adc5

memory/2512-63-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-62-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2244-64-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/320-66-0x0000000000400000-0x000000000087F000-memory.dmp

memory/320-65-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2512-67-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-68-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/320-69-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2512-70-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-71-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/320-72-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2512-73-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2512-75-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-76-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/320-77-0x0000000000400000-0x000000000087F000-memory.dmp

memory/320-79-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-78-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2244-80-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/320-81-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-82-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/320-83-0x0000000000400000-0x000000000087F000-memory.dmp

memory/320-85-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-84-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/2244-86-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/320-87-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2244-88-0x0000000001230000-0x00000000016ED000-memory.dmp

memory/320-89-0x0000000000400000-0x000000000087F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 02:10

Reported

2025-02-27 02:12

Platform

win10v2004-20250217-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\mnpj\xnfu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\mnpj\xnfu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\mnpj\xnfu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\ProgramData\mnpj\xnfu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\mnpj\xnfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe

"C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

"C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\mnpj\xnfu.exe

C:\ProgramData\mnpj\xnfu.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
GB 2.18.66.74:443 www.bing.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5417 towerbingobongoboom.com tcp

Files

memory/1480-0-0x00000000009F0000-0x0000000000EAD000-memory.dmp

memory/1480-1-0x0000000077454000-0x0000000077456000-memory.dmp

memory/1480-2-0x00000000009F1000-0x0000000000A1F000-memory.dmp

memory/1480-3-0x00000000009F0000-0x0000000000EAD000-memory.dmp

memory/1480-4-0x00000000009F0000-0x0000000000EAD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 e3db5749715032f09380e2b83170df85
SHA1 5eba9270b0a48ffda040d10e08aef49acbb4452d
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
SHA512 682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199

memory/1480-16-0x00000000009F0000-0x0000000000EAD000-memory.dmp

memory/3804-17-0x0000000000270000-0x000000000072D000-memory.dmp

memory/3804-18-0x0000000000271000-0x000000000029F000-memory.dmp

memory/3804-19-0x0000000000270000-0x000000000072D000-memory.dmp

memory/3804-20-0x0000000000270000-0x000000000072D000-memory.dmp

memory/3804-21-0x0000000000270000-0x000000000072D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

MD5 b5001d168ba5139846f2848c8e05a6ee
SHA1 080f353ab857f04ea65b78570bfa998d1e421ea2
SHA256 059e600a06b4b6671fa440728b932adff7d246441bf328fcc4a8e29d4df11a23
SHA512 d608f6f4ed7de73308ab7b231b343d5a832b2c0a68b0d0522d2df4c4a8cc15e12685b2ffcb8232b58b4c519979e4307179964fa4011752288f63f72090828143

memory/3804-33-0x0000000000270000-0x000000000072D000-memory.dmp

memory/3804-36-0x0000000000270000-0x000000000072D000-memory.dmp

memory/2920-37-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-39-0x0000000000270000-0x000000000072D000-memory.dmp

memory/2920-45-0x0000000000401000-0x0000000000403000-memory.dmp

memory/2920-44-0x0000000004940000-0x0000000004941000-memory.dmp

memory/2920-43-0x0000000004960000-0x0000000004961000-memory.dmp

memory/2920-42-0x0000000004950000-0x0000000004951000-memory.dmp

memory/2920-41-0x0000000004970000-0x0000000004971000-memory.dmp

memory/3804-47-0x0000000000270000-0x000000000072D000-memory.dmp

memory/2920-48-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2920-49-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-50-0x0000000000270000-0x000000000072D000-memory.dmp

memory/2920-51-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-52-0x0000000000270000-0x000000000072D000-memory.dmp

memory/2920-53-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2196-56-0x0000000000270000-0x000000000072D000-memory.dmp

memory/3804-55-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-59-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2196-61-0x0000000000270000-0x000000000072D000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 af7267b94921eea75ea4e9e48c22da8a
SHA1 f12863c413ceb3d74b2ad1c52b4e51e2356c57b0
SHA256 bc907e300126a9c3656e1e3d7d85bb29ded327ce381ffc2024394cffc55c38c8
SHA512 ee4df30802f2ad24b74ef1a286d6331e4d182c18cd5d823c4570a61a7f1e5c068adc7745a1e7afc4cab94ede17de860430ec4088c611c5494fee2f67d6974bd6

memory/2920-63-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-64-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-65-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2920-66-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-67-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-68-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2920-69-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2920-70-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-71-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-72-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-73-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-74-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-75-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-76-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2008-78-0x0000000000270000-0x000000000072D000-memory.dmp

memory/2008-80-0x0000000000270000-0x000000000072D000-memory.dmp

memory/3804-81-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-82-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-83-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-84-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-85-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-86-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-87-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-88-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3804-89-0x0000000000270000-0x000000000072D000-memory.dmp

memory/1496-90-0x0000000000400000-0x000000000087F000-memory.dmp