Malware Analysis Report

2025-04-03 09:37

Sample ID 250228-jej5qawj17
Target 66336092dce79c1abbe03207cd634a23.exe
SHA256 4a14e6edf594c4e16b3122c580a1f4dbcf79d90a0ec0e43a3f1c41a1a70a44e5
Tags
amadey systembc a4d2cd defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a14e6edf594c4e16b3122c580a1f4dbcf79d90a0ec0e43a3f1c41a1a70a44e5

Threat Level: Known bad

The file 66336092dce79c1abbe03207cd634a23.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc a4d2cd defense_evasion discovery trojan

Amadey family

SystemBC

Systembc family

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-28 07:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-28 07:34

Reported

2025-02-28 07:37

Platform

win7-20240903-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\jebos\codrufm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\jebos\codrufm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\jebos\codrufm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine C:\ProgramData\jebos\codrufm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\jebos\codrufm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1404 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1404 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1404 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2692 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe
PID 2692 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe
PID 2692 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe
PID 2692 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe
PID 1652 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\jebos\codrufm.exe
PID 1652 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\jebos\codrufm.exe
PID 1652 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\jebos\codrufm.exe
PID 1652 wrote to memory of 1972 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\jebos\codrufm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe

"C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe

"C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {4559D0FA-A37D-4C05-91D7-1F36A197CEBE} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]

C:\ProgramData\jebos\codrufm.exe

C:\ProgramData\jebos\codrufm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:4911 towerbingobongoboom.com tcp
US 8.8.8.8:53 secure.xposedskinz.com udp
US 8.8.8.8:53 secure.soawk.com udp

Files

memory/1404-0-0x0000000000390000-0x0000000000845000-memory.dmp

memory/1404-1-0x0000000077C00000-0x0000000077C02000-memory.dmp

memory/1404-2-0x0000000000391000-0x00000000003BF000-memory.dmp

memory/1404-3-0x0000000000390000-0x0000000000845000-memory.dmp

memory/1404-5-0x0000000000390000-0x0000000000845000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 66336092dce79c1abbe03207cd634a23
SHA1 f851be99396b0c10c1a74a95d6b08f51bf0f3e79
SHA256 4a14e6edf594c4e16b3122c580a1f4dbcf79d90a0ec0e43a3f1c41a1a70a44e5
SHA512 0b23966098735dd1361b277bf93fa9f760d14d09361e1cb3baef6a72c2b6db6d20a9a5312414e1c9af75840628114aa37325e6e0919617edf03ea75a8219738a

memory/1404-16-0x0000000006F80000-0x0000000007435000-memory.dmp

memory/1404-21-0x0000000006F80000-0x0000000007435000-memory.dmp

memory/2692-20-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1404-19-0x0000000000390000-0x0000000000845000-memory.dmp

memory/2692-22-0x0000000000360000-0x0000000000815000-memory.dmp

memory/2692-23-0x0000000000360000-0x0000000000815000-memory.dmp

memory/2692-25-0x0000000000360000-0x0000000000815000-memory.dmp

memory/2692-26-0x0000000000360000-0x0000000000815000-memory.dmp

memory/2692-27-0x0000000000360000-0x0000000000815000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe

MD5 54995f5af32ec74fbc70acc9edaa9fd3
SHA1 8f8e7306b0f1017f9aaa317045a988502855d2a8
SHA256 da0a971e9d9a0afdcbe0f59c98a8c932cf4b380fb4038c7ede297951189d34c6
SHA512 c25743be84a638410815fade935f03fbb1871c4a7526786591d7519fe4818e758c1e4328e43fa727d52c45572c327123cdc2bf17299b57f7b9c511a4179059e5

memory/2692-42-0x0000000000360000-0x0000000000815000-memory.dmp

memory/2692-44-0x0000000000360000-0x0000000000815000-memory.dmp

memory/2692-45-0x0000000006D00000-0x0000000007149000-memory.dmp

memory/1788-47-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-46-0x0000000006D00000-0x0000000007149000-memory.dmp

memory/2692-51-0x0000000006D00000-0x0000000007149000-memory.dmp

memory/1788-53-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-54-0x0000000006D00000-0x0000000007149000-memory.dmp

memory/2692-52-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1788-55-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-56-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1788-57-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-58-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1788-59-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1788-60-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-61-0x0000000000360000-0x0000000000815000-memory.dmp

memory/2692-62-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1788-63-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1972-66-0x0000000000400000-0x0000000000849000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 b94e0535858388543f3d814330d17dea
SHA1 2099a5d6a2f0a090ae25110acb10a40e6f034d2c
SHA256 efcb7f53185f8a161cdf06782c438f3d3b51d22248746dce1cc14e4b2350a08a
SHA512 443fdf49d551ee4a2f3c17bde366189f83fed3f8547500ef682fc8be41460bbe1681d29e9c397e2f3692115c6398f1ff2887de1e0a228c0993faa45b6ab362ca

memory/2692-68-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1788-69-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1788-70-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1972-71-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1972-72-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-73-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1972-74-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-75-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1972-76-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-77-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1972-78-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-79-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1972-80-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-81-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1972-82-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-83-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1972-84-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2692-85-0x0000000000360000-0x0000000000815000-memory.dmp

memory/1972-86-0x0000000000400000-0x0000000000849000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-28 07:34

Reported

2025-02-28 07:37

Platform

win10v2004-20250217-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\duqaciw\egtibt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\duqaciw\egtibt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\duqaciw\egtibt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\ProgramData\duqaciw\egtibt.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\duqaciw\egtibt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe

"C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe

"C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\duqaciw\egtibt.exe

C:\ProgramData\duqaciw\egtibt.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:4927 towerbingobongoboom.com tcp

Files

memory/3384-0-0x0000000000EB0000-0x0000000001365000-memory.dmp

memory/3384-1-0x0000000077974000-0x0000000077976000-memory.dmp

memory/3384-2-0x0000000000EB1000-0x0000000000EDF000-memory.dmp

memory/3384-3-0x0000000000EB0000-0x0000000001365000-memory.dmp

memory/3384-4-0x0000000000EB0000-0x0000000001365000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 66336092dce79c1abbe03207cd634a23
SHA1 f851be99396b0c10c1a74a95d6b08f51bf0f3e79
SHA256 4a14e6edf594c4e16b3122c580a1f4dbcf79d90a0ec0e43a3f1c41a1a70a44e5
SHA512 0b23966098735dd1361b277bf93fa9f760d14d09361e1cb3baef6a72c2b6db6d20a9a5312414e1c9af75840628114aa37325e6e0919617edf03ea75a8219738a

memory/3384-18-0x0000000000EB0000-0x0000000001365000-memory.dmp

memory/116-15-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/116-19-0x0000000000201000-0x000000000022F000-memory.dmp

memory/116-20-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/116-21-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/116-22-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/1296-24-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/1296-25-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/1296-26-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/1296-28-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/1296-29-0x0000000000201000-0x000000000022F000-memory.dmp

memory/116-30-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/116-31-0x0000000000200000-0x00000000006B5000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe

MD5 54995f5af32ec74fbc70acc9edaa9fd3
SHA1 8f8e7306b0f1017f9aaa317045a988502855d2a8
SHA256 da0a971e9d9a0afdcbe0f59c98a8c932cf4b380fb4038c7ede297951189d34c6
SHA512 c25743be84a638410815fade935f03fbb1871c4a7526786591d7519fe4818e758c1e4328e43fa727d52c45572c327123cdc2bf17299b57f7b9c511a4179059e5

memory/116-41-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/116-46-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/2812-47-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-51-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/2812-52-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-53-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/2812-54-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-55-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/2812-56-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-57-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/2812-58-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-59-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/2812-60-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-61-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/3240-63-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/5004-66-0x0000000000400000-0x0000000000849000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 b5ae52c593b461c1191b77743b772674
SHA1 9d635ea27d99127b690064229fb6fff489cdbf7b
SHA256 5f68e2c8ee4bdb241b2c5fe739917c26896eb8d25b686e0e9557df4a09fd8448
SHA512 c2996f66ccb37807070222420e4a7db32d97670088ab3b4ad7f90da689fe9e80d4625b8f66c01e2c806bde67f2030e06502629b58992c0e21e2d3fa0bd157c14

memory/2812-68-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2812-69-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-70-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/5004-71-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-72-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/5004-73-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-74-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/5004-75-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-76-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/5004-77-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-78-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/5004-79-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-80-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/1824-82-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/5004-83-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-84-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/5004-85-0x0000000000400000-0x0000000000849000-memory.dmp

memory/116-86-0x0000000000200000-0x00000000006B5000-memory.dmp

memory/5004-87-0x0000000000400000-0x0000000000849000-memory.dmp