Malware Analysis Report

2025-04-03 09:18

Sample ID 250307-s6681asrw4
Target a9749ee52eefb0fd48a66527095354bb.exe
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
Tags
a4d2cd amadey systembc defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

Threat Level: Known bad

The file a9749ee52eefb0fd48a66527095354bb.exe was found to be: Known bad.

Malicious Activity Summary

a4d2cd amadey systembc defense_evasion discovery trojan

SystemBC

Amadey family

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-07 15:45

Signatures

Amadey family

amadey

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-07 15:45

Reported

2025-03-07 15:47

Platform

win7-20241010-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\dupm\popswpo.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\dupm\popswpo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\dupm\popswpo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\ProgramData\dupm\popswpo.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
N/A N/A C:\ProgramData\dupm\popswpo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\dupm\popswpo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
N/A N/A C:\ProgramData\dupm\popswpo.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1980 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1980 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1980 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 320 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe
PID 320 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe
PID 320 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe
PID 320 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe
PID 3028 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\dupm\popswpo.exe
PID 3028 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\dupm\popswpo.exe
PID 3028 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\dupm\popswpo.exe
PID 3028 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\dupm\popswpo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe

"C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe

"C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {44ED527A-5A66-4BDA-80D0-4D6F487C0207} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]

C:\ProgramData\dupm\popswpo.exe

C:\ProgramData\dupm\popswpo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp
US 213.209.150.137:4086 tcp

Files

memory/1980-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe

MD5 190272ebd2e82a80b242b1bdd442b859
SHA1 fceb12a205c28c30b2049c55924a9872a1a3eb71
SHA256 c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131
SHA512 f3b30d8ea2dd2c451a042b4ed7a9e98d2bcfbb86a88bec2d672a3e1ae6ab3932daf8987eef872e6adb11144f92b9954ac6f6ce67e24a2bc391d7b34ebef876ae

memory/320-26-0x0000000004390000-0x00000000047D0000-memory.dmp

memory/320-28-0x0000000004390000-0x00000000047D0000-memory.dmp

memory/604-27-0x0000000000400000-0x0000000000840000-memory.dmp

memory/604-29-0x0000000077B00000-0x0000000077B02000-memory.dmp

memory/604-30-0x0000000000401000-0x0000000000403000-memory.dmp

memory/604-33-0x0000000000400000-0x0000000000840000-memory.dmp

memory/320-35-0x0000000004390000-0x00000000047D0000-memory.dmp

memory/604-36-0x0000000000400000-0x0000000000840000-memory.dmp

memory/604-37-0x0000000000400000-0x0000000000840000-memory.dmp

memory/604-39-0x0000000000400000-0x0000000000840000-memory.dmp

memory/604-40-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-43-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 a0452c08c1cb4eba582f78a0794d6d48
SHA1 b34ffe27ff30ad267295e0a95b506401b7fb42f6
SHA256 1402218034bc362ba7e36aa6e2990454b02361eae6f5fdc0ae1db3333f08a26b
SHA512 5f2056a7181c2eb651b129f90519836d949fec3b8df5aa0f1ec047b5506f262029dcfbc1105f48c3617809cd38551c6040075a86d2b103b50c9662038f9554e6

memory/604-45-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-46-0x0000000000400000-0x0000000000840000-memory.dmp

memory/604-47-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-48-0x0000000000400000-0x0000000000840000-memory.dmp

memory/604-49-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-50-0x0000000000400000-0x0000000000840000-memory.dmp

memory/604-51-0x0000000000400000-0x0000000000840000-memory.dmp

memory/604-52-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-53-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-54-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-55-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-56-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-57-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-58-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-59-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1748-60-0x0000000000400000-0x0000000000840000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-07 15:45

Reported

2025-03-07 15:47

Platform

win10v2004-20250217-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\dnbfuag\ghjnsh.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\dnbfuag\ghjnsh.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\dnbfuag\ghjnsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\ProgramData\dnbfuag\ghjnsh.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A
N/A N/A C:\ProgramData\dnbfuag\ghjnsh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\dnbfuag\ghjnsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe

"C:\Users\Admin\AppData\Local\Temp\a9749ee52eefb0fd48a66527095354bb.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe

"C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe"

C:\ProgramData\dnbfuag\ghjnsh.exe

C:\ProgramData\dnbfuag\ghjnsh.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4086 towerbingobongoboom.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe

MD5 190272ebd2e82a80b242b1bdd442b859
SHA1 fceb12a205c28c30b2049c55924a9872a1a3eb71
SHA256 c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131
SHA512 f3b30d8ea2dd2c451a042b4ed7a9e98d2bcfbb86a88bec2d672a3e1ae6ab3932daf8987eef872e6adb11144f92b9954ac6f6ce67e24a2bc391d7b34ebef876ae

memory/4692-24-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-26-0x0000000077464000-0x0000000077466000-memory.dmp

memory/4692-27-0x0000000000401000-0x0000000000403000-memory.dmp

memory/4692-28-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-31-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-32-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-33-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-34-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-35-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-38-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 f4f04d8ccfcb08e60c6da0e1f483258d
SHA1 44c0c5b351c326d6f4a6cb6d78b3fd105da68f3c
SHA256 450f2ca62e5c0fb53f3fab47b86bc1e8f1dbe85ee30dbd2b2926d9c6344540f5
SHA512 b8f47ca896bdd5077111c4387893a062125decc97f4bb487273c4c91a9b713ffdd814e5e2b05e5f3016eac1f66f02439e41d4a3075093563bad5139039495adb

memory/4692-41-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-43-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-44-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-45-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-46-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-47-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-48-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-49-0x0000000000400000-0x0000000000840000-memory.dmp

memory/4692-50-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-51-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-53-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-54-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-55-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-56-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2728-57-0x0000000000400000-0x0000000000840000-memory.dmp