Malware Analysis Report

2025-04-03 09:37

Sample ID 250227-crtrcssjx7
Target 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
Tags
amadey systembc a4d2cd defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe

Threat Level: Known bad

The file 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc a4d2cd defense_evasion discovery trojan

Amadey family

Systembc family

Amadey

SystemBC

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 02:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 02:19

Reported

2025-02-27 02:21

Platform

win7-20241010-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\bsca\ntcmc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\bsca\ntcmc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\bsca\ntcmc.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\ProgramData\bsca\ntcmc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\bsca\ntcmc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1176 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1176 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1176 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2960 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 2960 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 2960 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 2960 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 2276 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\bsca\ntcmc.exe
PID 2276 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\bsca\ntcmc.exe
PID 2276 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\bsca\ntcmc.exe
PID 2276 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\bsca\ntcmc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe

"C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2440C284-9800-49D3-9AA2-967791019D07} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]

C:\ProgramData\bsca\ntcmc.exe

C:\ProgramData\bsca\ntcmc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5417 towerbingobongoboom.com tcp

Files

memory/1176-0-0x0000000000D30000-0x00000000011ED000-memory.dmp

memory/1176-1-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

memory/1176-2-0x0000000000D31000-0x0000000000D5F000-memory.dmp

memory/1176-3-0x0000000000D30000-0x00000000011ED000-memory.dmp

memory/1176-4-0x0000000000D30000-0x00000000011ED000-memory.dmp

memory/1176-6-0x0000000000D30000-0x00000000011ED000-memory.dmp

memory/1176-11-0x0000000000D30000-0x00000000011ED000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 e3db5749715032f09380e2b83170df85
SHA1 5eba9270b0a48ffda040d10e08aef49acbb4452d
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
SHA512 682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199

memory/1176-18-0x0000000006080000-0x000000000653D000-memory.dmp

memory/1176-17-0x0000000006080000-0x000000000653D000-memory.dmp

memory/2960-23-0x0000000001280000-0x000000000173D000-memory.dmp

memory/1176-22-0x0000000000D30000-0x00000000011ED000-memory.dmp

memory/2960-24-0x0000000001281000-0x00000000012AF000-memory.dmp

memory/2960-25-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2960-27-0x0000000001280000-0x000000000173D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

MD5 ec23aa1a029ed83e876b9c9276d7c743
SHA1 af2f99ae5e09f4b40788b072ed8e2d34ff3c4a5d
SHA256 b7a31a615cfe0b31a5293cc784a8618e153100399982bf7999983e41b3f81370
SHA512 8e182ba35bb0f4bd268f08583d6cc93c3fb978b0844ee90dd203e971f07289b598cf5baf2213f86294fa69d7c2d7377d4b8603b83b212ba12b59a5e6bf2ff341

memory/2960-35-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2960-43-0x0000000006300000-0x000000000677F000-memory.dmp

memory/2960-45-0x0000000006300000-0x000000000677F000-memory.dmp

memory/2960-47-0x0000000001280000-0x000000000173D000-memory.dmp

memory/1576-46-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-51-0x0000000001280000-0x000000000173D000-memory.dmp

memory/1576-52-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-53-0x0000000001280000-0x000000000173D000-memory.dmp

memory/1576-54-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-55-0x0000000001280000-0x000000000173D000-memory.dmp

memory/1576-56-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-57-0x0000000001280000-0x000000000173D000-memory.dmp

memory/1576-58-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2140-61-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 232ec75340fb6b36d803770a204be130
SHA1 d16ab9203eca5f8034671bf0de476d8dd8e9e460
SHA256 945583b3e7858e462aabb3dabcf26abb7e82a932e495ebc158bed195ff06a0c4
SHA512 ed61c0612a3e07252dc610676324bdd304e8299038197f587eb0623b89eade73d944028a82bafd21efe5e5cc94552eacc6b35269aef6e4e3fc9d630461e50b43

memory/2960-63-0x0000000001280000-0x000000000173D000-memory.dmp

memory/1576-64-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-65-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2140-67-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1576-68-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-69-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2140-70-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1576-71-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-72-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2140-73-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2140-75-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-74-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2140-76-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-77-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2140-78-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-79-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2960-80-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2140-81-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-82-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2140-83-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2960-84-0x0000000001280000-0x000000000173D000-memory.dmp

memory/2140-85-0x0000000000400000-0x000000000087F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 02:19

Reported

2025-02-27 02:21

Platform

win10v2004-20250217-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\qhprs\lncwsx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\qhprs\lncwsx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\qhprs\lncwsx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\ProgramData\qhprs\lncwsx.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\qhprs\lncwsx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe

"C:\Users\Admin\AppData\Local\Temp\0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\qhprs\lncwsx.exe

C:\ProgramData\qhprs\lncwsx.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5418 towerbingobongoboom.com tcp

Files

memory/1300-0-0x0000000000760000-0x0000000000C1D000-memory.dmp

memory/1300-1-0x00000000771B4000-0x00000000771B6000-memory.dmp

memory/1300-2-0x0000000000761000-0x000000000078F000-memory.dmp

memory/1300-3-0x0000000000760000-0x0000000000C1D000-memory.dmp

memory/1300-4-0x0000000000760000-0x0000000000C1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 e3db5749715032f09380e2b83170df85
SHA1 5eba9270b0a48ffda040d10e08aef49acbb4452d
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
SHA512 682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199

memory/1300-16-0x0000000000760000-0x0000000000C1D000-memory.dmp

memory/4396-18-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/4396-19-0x0000000000011000-0x000000000003F000-memory.dmp

memory/4396-20-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/4396-21-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/4396-22-0x0000000000010000-0x00000000004CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

MD5 ec23aa1a029ed83e876b9c9276d7c743
SHA1 af2f99ae5e09f4b40788b072ed8e2d34ff3c4a5d
SHA256 b7a31a615cfe0b31a5293cc784a8618e153100399982bf7999983e41b3f81370
SHA512 8e182ba35bb0f4bd268f08583d6cc93c3fb978b0844ee90dd203e971f07289b598cf5baf2213f86294fa69d7c2d7377d4b8603b83b212ba12b59a5e6bf2ff341

memory/4396-37-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/2524-38-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-39-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/2524-44-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2524-43-0x0000000000401000-0x0000000000403000-memory.dmp

memory/2524-42-0x0000000004960000-0x0000000004961000-memory.dmp

memory/2524-41-0x0000000004970000-0x0000000004971000-memory.dmp

memory/4396-46-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/2524-47-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2524-48-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2524-49-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-50-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/2524-51-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-52-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/2524-53-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-54-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/2524-55-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-56-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/2196-58-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/1892-61-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2196-63-0x0000000000010000-0x00000000004CD000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 c04f3f6d9b978871af68e880418c1080
SHA1 df1cfb11e4688937a6eee85eeb1b8e8203d9d02a
SHA256 091ec0b88c37e5c515bc456e9751855ede1a9a74a8365986ea34158a520d4b03
SHA512 4809da0ae21941ce15413b971936e5d4578100eadd56c1ad468f3912dc05af3a19f69ed6822a5ff12ac2719685c6effa01ff83884707fdb653d235acd3c9fe07

memory/2524-65-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-66-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/1892-68-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2524-69-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-71-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/1892-72-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-73-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/1892-74-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-75-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/1892-76-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-77-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/1892-78-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-79-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/4104-81-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/4104-82-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/1892-83-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-84-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/1892-85-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-86-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/1892-87-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4396-88-0x0000000000010000-0x00000000004CD000-memory.dmp

memory/1892-89-0x0000000000400000-0x000000000087F000-memory.dmp