Malware Analysis Report

2025-04-03 09:09

Sample ID 250228-jjaf3svses
Target 36e536a514745cab05f83cbe5f4a412e.exe
SHA256 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715
Tags
amadey systembc a4d2cd defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715

Threat Level: Known bad

The file 36e536a514745cab05f83cbe5f4a412e.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc a4d2cd defense_evasion discovery trojan

Amadey

Systembc family

SystemBC

Amadey family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-28 07:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-28 07:41

Reported

2025-02-28 07:43

Platform

win7-20240903-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\sonnla\okihcap.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\sonnla\okihcap.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\sonnla\okihcap.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine C:\ProgramData\sonnla\okihcap.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\sonnla\okihcap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1964 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1964 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1964 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2340 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe
PID 2340 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe
PID 2340 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe
PID 2340 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe
PID 2452 wrote to memory of 2424 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\sonnla\okihcap.exe
PID 2452 wrote to memory of 2424 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\sonnla\okihcap.exe
PID 2452 wrote to memory of 2424 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\sonnla\okihcap.exe
PID 2452 wrote to memory of 2424 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\sonnla\okihcap.exe

Processes

C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe

"C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe

"C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {7910EC5B-FFFF-4DD6-A93F-700ED0266F9B} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]

C:\ProgramData\sonnla\okihcap.exe

C:\ProgramData\sonnla\okihcap.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:4928 towerbingobongoboom.com tcp

Files

memory/1964-0-0x0000000000F80000-0x0000000001435000-memory.dmp

memory/1964-1-0x00000000777A0000-0x00000000777A2000-memory.dmp

memory/1964-2-0x0000000000F81000-0x0000000000FAF000-memory.dmp

memory/1964-3-0x0000000000F80000-0x0000000001435000-memory.dmp

memory/1964-5-0x0000000000F80000-0x0000000001435000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 36e536a514745cab05f83cbe5f4a412e
SHA1 befb59b14249e5f240bb80281f1a14663438b126
SHA256 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715
SHA512 63245e2771ce4118f3a51a5d0d87cec398838389e56ad7783299cd21b98f5f5b33dcf99ca015f68b30d9349e94c8cfc1e7ad40ec67f8db2766d38c94202ab88f

memory/1964-19-0x0000000006990000-0x0000000006E45000-memory.dmp

memory/1964-18-0x0000000000F80000-0x0000000001435000-memory.dmp

memory/2340-21-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/1964-20-0x0000000006990000-0x0000000006E45000-memory.dmp

memory/2340-22-0x00000000008C1000-0x00000000008EF000-memory.dmp

memory/2340-23-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2340-24-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2340-26-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2340-27-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2340-28-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2340-29-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2340-30-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2340-31-0x00000000008C0000-0x0000000000D75000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe

MD5 54995f5af32ec74fbc70acc9edaa9fd3
SHA1 8f8e7306b0f1017f9aaa317045a988502855d2a8
SHA256 da0a971e9d9a0afdcbe0f59c98a8c932cf4b380fb4038c7ede297951189d34c6
SHA512 c25743be84a638410815fade935f03fbb1871c4a7526786591d7519fe4818e758c1e4328e43fa727d52c45572c327123cdc2bf17299b57f7b9c511a4179059e5

memory/2340-47-0x0000000006C60000-0x00000000070A9000-memory.dmp

memory/2340-46-0x0000000006C60000-0x00000000070A9000-memory.dmp

memory/2132-49-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-53-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2340-54-0x0000000006C60000-0x00000000070A9000-memory.dmp

memory/2340-55-0x0000000006C60000-0x00000000070A9000-memory.dmp

memory/2132-56-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2132-57-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-58-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-61-0x0000000000400000-0x0000000000849000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 0d3f6b8215f0069945567ce0f5480700
SHA1 89f153468b77a640277a0f713c4a5873c917bcd1
SHA256 5f72f3f838abf86b83dc9b591683827ccb4ab0afcee4c7dd9e6bdc9de094991c
SHA512 ac72024a477856ba0720c966024e81433c0b8610c31a4da190d1d2eb6ff4d27473fd119f242a8ccaa13526ff2e3a0801ebb69a9232aa666a524122097d39dd8c

memory/2132-63-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-64-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-65-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2424-66-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2132-67-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-68-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-69-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2132-70-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-71-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-72-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2132-73-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-74-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-75-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2132-76-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-78-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-79-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-80-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-81-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-82-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-83-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-84-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-85-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-86-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-87-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-88-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-89-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2340-90-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2424-91-0x0000000000400000-0x0000000000849000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-28 07:41

Reported

2025-02-28 07:43

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\dvqebnc\rcns.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\dvqebnc\rcns.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\dvqebnc\rcns.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\ProgramData\dvqebnc\rcns.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\dvqebnc\rcns.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe

"C:\Users\Admin\AppData\Local\Temp\36e536a514745cab05f83cbe5f4a412e.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe

"C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\dvqebnc\rcns.exe

C:\ProgramData\dvqebnc\rcns.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:4929 towerbingobongoboom.com tcp
US 8.8.8.8:53 udp

Files

memory/4120-0-0x00000000005B0000-0x0000000000A65000-memory.dmp

memory/4120-1-0x0000000077264000-0x0000000077266000-memory.dmp

memory/4120-2-0x00000000005B1000-0x00000000005DF000-memory.dmp

memory/4120-3-0x00000000005B0000-0x0000000000A65000-memory.dmp

memory/4120-4-0x00000000005B0000-0x0000000000A65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 36e536a514745cab05f83cbe5f4a412e
SHA1 befb59b14249e5f240bb80281f1a14663438b126
SHA256 539b89630bf205ece9a5e8e8a1326534c5a39dc511839c68ecb99ef9f5a97715
SHA512 63245e2771ce4118f3a51a5d0d87cec398838389e56ad7783299cd21b98f5f5b33dcf99ca015f68b30d9349e94c8cfc1e7ad40ec67f8db2766d38c94202ab88f

memory/3920-18-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4120-17-0x00000000005B0000-0x0000000000A65000-memory.dmp

memory/3920-19-0x0000000000A71000-0x0000000000A9F000-memory.dmp

memory/3920-20-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/3920-21-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/3920-22-0x0000000000A70000-0x0000000000F25000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe

MD5 54995f5af32ec74fbc70acc9edaa9fd3
SHA1 8f8e7306b0f1017f9aaa317045a988502855d2a8
SHA256 da0a971e9d9a0afdcbe0f59c98a8c932cf4b380fb4038c7ede297951189d34c6
SHA512 c25743be84a638410815fade935f03fbb1871c4a7526786591d7519fe4818e758c1e4328e43fa727d52c45572c327123cdc2bf17299b57f7b9c511a4179059e5

memory/2736-37-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-38-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/2736-43-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2736-42-0x0000000000401000-0x0000000000403000-memory.dmp

memory/2736-41-0x0000000004910000-0x0000000004911000-memory.dmp

memory/2736-40-0x0000000004940000-0x0000000004941000-memory.dmp

memory/3920-45-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/2736-46-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2736-47-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2736-48-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-49-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/2736-50-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-51-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/3096-53-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-56-0x0000000000400000-0x0000000000849000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 73813f0752d22a7856cd72c05de12af7
SHA1 db46db473ebf2cdcea5014730f4a9706f1df5d5c
SHA256 70f21e0b8cd0fbc77a35b3f2174bb3b1dfab607d284dc8d12297829d8980bfd9
SHA512 03acb7222a81a0bc20901518f99f2d61cd347c233605a609ea9559901a0f0c127e5fdde6eb593a162d853c17bd100a2b1a111b27d9c68869f18868303b21fcf1

memory/3096-58-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/2736-59-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-60-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-61-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2736-62-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-63-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-64-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2736-65-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-66-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-67-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2736-68-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-69-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-70-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-71-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-72-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-73-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4372-75-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4372-76-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-77-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-78-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-79-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-80-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-81-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-82-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-83-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-84-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-85-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3920-86-0x0000000000A70000-0x0000000000F25000-memory.dmp

memory/4816-87-0x0000000000400000-0x0000000000849000-memory.dmp