Malware Analysis Report

2025-04-03 09:37

Sample ID 250226-j7dtea1lz3
Target e3db5749715032f09380e2b83170df85.exe
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
Tags
amadey systembc a4d2cd defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe

Threat Level: Known bad

The file e3db5749715032f09380e2b83170df85.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc a4d2cd defense_evasion discovery trojan

Amadey

Systembc family

SystemBC

Amadey family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-26 08:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-26 08:18

Reported

2025-02-26 08:20

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\pdqgt\tngdm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\10000200102\ssystemfiktums.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\pdqgt\tngdm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\pdqgt\tngdm.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\ProgramData\pdqgt\tngdm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\10000200102\ssystemfiktums.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\pdqgt\tngdm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe

"C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\10000200102\ssystemfiktums.exe

"C:\Users\Admin\10000200102\ssystemfiktums.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\pdqgt\tngdm.exe

C:\ProgramData\pdqgt\tngdm.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
US 8.8.8.8:53 udp

Files

memory/1620-0-0x0000000000450000-0x000000000090D000-memory.dmp

memory/1620-1-0x0000000077A84000-0x0000000077A86000-memory.dmp

memory/1620-2-0x0000000000451000-0x000000000047F000-memory.dmp

memory/1620-3-0x0000000000450000-0x000000000090D000-memory.dmp

memory/1620-4-0x0000000000450000-0x000000000090D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 e3db5749715032f09380e2b83170df85
SHA1 5eba9270b0a48ffda040d10e08aef49acbb4452d
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
SHA512 682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199

memory/1620-18-0x0000000000450000-0x000000000090D000-memory.dmp

memory/3232-17-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/3232-19-0x0000000000FB1000-0x0000000000FDF000-memory.dmp

memory/3232-20-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/3232-21-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/3232-22-0x0000000000FB0000-0x000000000146D000-memory.dmp

C:\Users\Admin\10000200102\ssystemfiktums.exe

MD5 f398330ff76c75dbaffe5c18078c35e5
SHA1 97c7b2fa744cdf86ce74322f0a683b260e21d188
SHA256 81adc7b98a97b77b6259fe66d9f5919ad55de88ff242637de023ee856a095699
SHA512 69768f2338ceff5e0872ef066201a3b06ad30b31138524d62943982d67dd046a8cd2051a9730a8e81ea93404fddd734fa1c6cab8ccb5689fd343572604c8cb8c

memory/1824-37-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-38-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/1824-43-0x0000000000401000-0x0000000000403000-memory.dmp

memory/1824-42-0x0000000004910000-0x0000000004911000-memory.dmp

memory/1824-44-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1824-41-0x0000000004920000-0x0000000004921000-memory.dmp

memory/1824-40-0x0000000004940000-0x0000000004941000-memory.dmp

memory/3232-46-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/1824-47-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1824-48-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1824-49-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-50-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/1824-51-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-52-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/1824-53-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2784-55-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/2628-58-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 d2609b51e75d95d987180dd55d79f171
SHA1 cc1ba3beea3616d6e801f9ef46aa9986af16e5d7
SHA256 16130dbae297679267e002247fb7d6832cc9bc14df3841e3eedb3cf64dccabec
SHA512 5b73122dcfeabb84a5564864299d5b8518575b429ad35ecebe472b8f993d4a94da4667d30ca1a7fd4bfc55cf26d52b3132cf30c898cedcbf78648b30cd9e19b3

memory/2784-60-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/3232-61-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/1824-62-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2628-64-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2628-63-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-65-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/1824-66-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2628-67-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-68-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/1824-69-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1824-70-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2628-71-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-72-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/2628-73-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-74-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/2628-75-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-76-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/4932-78-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/4932-80-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/2628-81-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-82-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/2628-83-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-84-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/2628-85-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-86-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/2628-87-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-88-0x0000000000FB0000-0x000000000146D000-memory.dmp

memory/2628-89-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3232-90-0x0000000000FB0000-0x000000000146D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-26 08:18

Reported

2025-02-26 08:20

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\kcufh\dahxw.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\kcufh\dahxw.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\kcufh\dahxw.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
N/A N/A C:\ProgramData\kcufh\dahxw.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine C:\ProgramData\kcufh\dahxw.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
N/A N/A C:\ProgramData\kcufh\dahxw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\10000200102\ssystemfiktums.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\10000200102\ssystemfiktums.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kcufh\dahxw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2192 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2192 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2192 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\10000200102\ssystemfiktums.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\10000200102\ssystemfiktums.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\10000200102\ssystemfiktums.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\10000200102\ssystemfiktums.exe
PID 2872 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kcufh\dahxw.exe
PID 2872 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kcufh\dahxw.exe
PID 2872 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kcufh\dahxw.exe
PID 2872 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kcufh\dahxw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe

"C:\Users\Admin\AppData\Local\Temp\e3db5749715032f09380e2b83170df85.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\10000200102\ssystemfiktums.exe

"C:\Users\Admin\10000200102\ssystemfiktums.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F83D0C2D-C537-4389-A208-EE5794AD9609} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]

C:\ProgramData\kcufh\dahxw.exe

C:\ProgramData\kcufh\dahxw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5110 towerbingobongoboom.com tcp
US 8.8.8.8:53 smtp.ig.com.br udp
BR 168.0.132.203:587 smtp.ig.com.br tcp
US 8.8.8.8:53 mail.epidu.de udp
US 8.8.8.8:53 out.asfg.de udp
DE 116.202.21.121:587 mail.epidu.de tcp
US 8.8.8.8:53 dourfestival.be udp
FR 145.239.37.162:25 dourfestival.be tcp
US 8.8.8.8:53 fibraplac.com.br udp
US 8.8.8.8:53 vanosgb.com.tr udp
US 8.8.8.8:53 carrollton.k12.oh.us udp
US 8.8.8.8:53 optusnet.com.au udp
AU 211.29.132.105:587 optusnet.com.au tcp
TR 31.192.214.52:587 vanosgb.com.tr tcp
US 34.238.178.141:25 carrollton.k12.oh.us tcp
US 107.180.4.19:25 fibraplac.com.br tcp
US 8.8.8.8:53 wootage.co.uk udp
US 8.8.8.8:53 securesmtp.92603.com udp
US 8.8.8.8:53 smtp.qq.cox udp
DE 217.160.0.246:2525 wootage.co.uk tcp
US 8.8.8.8:53 secure.greendeco.com.ar udp
US 8.8.8.8:53 relay.micso.it udp
US 8.8.8.8:53 mail.cdh.be udp
IT 195.32.69.33:587 relay.micso.it tcp
US 8.8.8.8:53 secure.omahony.com udp
US 8.8.8.8:53 mail.bg udp
US 8.8.8.8:53 anixter.com udp
US 8.8.8.8:53 gilbert-und-gilbert.de udp
BG 193.201.172.98:587 mail.bg tcp
DE 217.160.0.196:465 gilbert-und-gilbert.de tcp
US 8.8.8.8:53 out.mherconsulting.co.uk udp
US 104.18.24.90:587 anixter.com tcp
US 8.8.8.8:53 mail.ludica.it udp
US 8.8.8.8:53 smtp.ziggo.nl udp
DE 185.53.177.50:587 mail.ludica.it tcp
NL 84.116.6.3:587 smtp.ziggo.nl tcp
HK 101.36.119.77:465 securesmtp.92603.com tcp
US 8.8.8.8:53 steps.com udp
US 3.33.243.145:587 steps.com tcp
US 8.8.8.8:53 mail.ozxpress.com.au udp
BR 168.0.132.203:587 smtp.ig.com.br tcp
US 8.8.8.8:53 securesmtp.qualtrix.co.za udp
US 8.8.8.8:53 epost.de udp
US 8.8.8.8:53 out.igrorissa.gov.in udp
NL 20.23.151.207:587 epost.de tcp
US 8.8.8.8:53 mail.wcgwave.ca udp
AU 203.30.98.175:25 mail.ozxpress.com.au tcp
US 8.8.8.8:53 secure.serviceforst.de udp
US 8.8.8.8:53 secure.soreli.it udp
US 8.8.8.8:53 ecotone.us udp
US 8.8.8.8:53 secure.soy.sena udp
US 8.8.8.8:53 smtp.angeljackson.couk udp
US 13.248.169.48:25 ecotone.us tcp
CA 216.36.128.174:587 mail.wcgwave.ca tcp
US 8.8.8.8:53 abv.bg udp
BG 193.201.172.98:587 mail.bg tcp
US 8.8.8.8:53 mail.united-fraggers.de udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 smtp.telenet.be udp
BE 195.130.132.10:587 smtp.telenet.be tcp
US 8.8.8.8:53 zing.vn udp
BG 194.153.145.104:587 abv.bg tcp
VN 42.112.58.212:587 zing.vn tcp
US 8.8.8.8:53 smtp.seznam.cz udp
US 8.8.8.8:53 excije.com udp
CZ 77.75.77.165:587 smtp.seznam.cz tcp
US 8.8.8.8:53 secure.ryanbichonfrise.com udp
US 8.8.8.8:53 mail.gs-tech.com.au udp
BG 193.201.172.98:587 mail.bg tcp
US 8.8.8.8:53 mail.btcl.net.bd udp
US 8.8.8.8:53 securesmtp.metaldoors.cz udp
US 8.8.8.8:53 mail.mechantloup.fr udp
US 8.8.8.8:53 smtp.cogeco.ca udp
BR 168.0.132.203:587 smtp.ig.com.br tcp
US 8.8.8.8:53 woodfield.couk udp
US 8.8.8.8:53 smtp.cartech.de udp
US 193.122.131.100:587 smtp.cogeco.ca tcp
US 8.8.8.8:53 out.prokuratura.lublin.pl udp
US 8.8.8.8:53 smtp.donaghue.us udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 smtp.stevens33.fsnet.co.uk udp
US 8.8.8.8:53 mail.vcbxnmz.com udp
BD 123.49.12.146:587 mail.btcl.net.bd tcp
US 8.8.8.8:53 arnet.com.ar udp
US 8.8.8.8:53 juanibracamonte.com.ar udp
AR 190.225.183.42:587 arnet.com.ar tcp
US 8.8.8.8:53 liebert-it.de udp
DE 217.160.0.158:465 liebert-it.de tcp
US 8.8.8.8:53 secure.furgo.at udp
US 23.81.68.40:587 smtp.donaghue.us tcp
US 8.8.8.8:53 out.oneup.at udp
US 8.8.8.8:53 mrouterin.brutele.be udp
BE 185.3.161.12:25 mrouterin.brutele.be tcp
US 8.8.8.8:53 ubspjb.com udp
US 8.8.8.8:53 securelabs.de udp
US 8.8.8.8:53 friedland-online.de udp
US 8.8.8.8:53 mail.walthamabbey.co.uk udp
US 8.8.8.8:53 out.rsic.de udp
DE 81.169.145.93:2525 friedland-online.de tcp
US 8.8.8.8:53 secure.gecskp.com udp
DE 138.201.44.108:465 securelabs.de tcp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 smtp.pandora.be udp
US 8.8.8.8:53 out.msconsult.inf.br udp
US 8.8.8.8:53 securesmtp.caljanritehite.fr udp
BE 195.130.132.11:587 smtp.pandora.be tcp
US 8.8.8.8:53 batelco.com.bh udp
BG 194.153.145.104:587 abv.bg tcp
NL 20.23.151.207:587 epost.de tcp
US 8.8.8.8:53 bosisio.com.ar udp
BG 194.153.145.104:587 abv.bg tcp
US 172.67.71.70:587 bosisio.com.ar tcp
US 8.8.8.8:53 turkeyflat.com.au udp
US 8.8.8.8:53 hpanels.com udp
US 8.8.8.8:53 securesmtp.pe-ti-kon.si udp
AU 103.73.82.11:2525 turkeyflat.com.au tcp
US 8.8.8.8:53 mail.bernardopeters.de udp
DE 162.55.20.48:25 mail.bernardopeters.de tcp
US 8.8.8.8:53 mail.uaj.us udp
US 8.8.8.8:53 mail.tapl.in udp
BG 193.201.172.98:587 mail.bg tcp
US 8.8.8.8:53 clubfactory.de udp
US 8.8.8.8:53 out.bafsanmarcos.com udp
US 76.223.54.146:587 mail.uaj.us tcp
US 8.8.8.8:53 smtp.uma.es udp
NL 85.17.10.143:587 clubfactory.de tcp
ES 150.214.40.4:587 smtp.uma.es tcp
US 8.8.8.8:53 mail.emi.ac.ma udp
US 8.8.8.8:53 carinhanhaepinheiro.com.br udp
US 216.92.2.7:587 mail.tapl.in tcp
US 8.8.8.8:53 smtp.lasercreations.de udp
US 8.8.8.8:53 ALT1.ASPMX.L.google.com udp
US 8.8.8.8:53 mail.casper.fr udp
MA 196.200.140.4:587 mail.emi.ac.ma tcp
NL 142.250.153.27:25 ALT1.ASPMX.L.google.com tcp
DE 85.13.140.233:587 smtp.lasercreations.de tcp
US 8.8.8.8:53 smtp.araujosat.com.br udp
US 8.8.8.8:53 smtp.jmcomerciobr.com.br udp
US 8.8.8.8:53 cableone.net udp
US 24.116.124.161:587 cableone.net tcp
US 8.8.8.8:53 secure.sigasa.com.mx udp
US 8.8.8.8:53 tianya.cn udp
US 8.8.8.8:53 mail.nexgo.de udp
US 8.8.8.8:53 coga-online.de udp
US 8.8.8.8:53 securesmtp.vilenskypaper.com.au udp
DE 178.15.69.206:587 mail.nexgo.de tcp
US 8.8.8.8:53 mxb-00212602.gslb.pphosted.com udp
US 67.231.152.135:587 mxb-00212602.gslb.pphosted.com tcp
US 8.8.8.8:53 grossmann-immobilien.at udp
US 8.8.8.8:53 pontaldoparana.pr.gov.br udp
DE 78.46.162.146:465 grossmann-immobilien.at tcp
US 8.8.8.8:53 secure.artbykate.ca udp
US 8.8.8.8:53 securesmtp.vineliinmobiliaria.com.ar udp
US 8.8.8.8:53 mail.staghorncapital.com udp
US 8.8.8.8:53 smtp.bbox.fr udp
US 8.8.8.8:53 securesmtp.gm.cOmii udp
FR 194.158.122.55:587 smtp.bbox.fr tcp
US 8.8.8.8:53 intercessionministries.org udp
BG 194.153.145.104:587 abv.bg tcp
BR 177.72.161.18:25 pontaldoparana.pr.gov.br tcp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 out.erikahaley.ca udp
US 3.33.130.190:2525 intercessionministries.org tcp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 out.radiozinc.com.au udp
US 8.8.8.8:53 zomba.com udp
JP 213.210.18.9:587 zomba.com tcp
US 8.8.8.8:53 mail.nhlem.navy.mil udp
US 8.8.8.8:53 usdafcu.org udp
US 13.89.229.25:587 usdafcu.org tcp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 secure.ricciparis.it udp
US 8.8.8.8:53 pe-schindler-com.mail.protection.outlook.com udp
US 8.8.8.8:53 whnet.couk udp
US 8.8.8.8:53 secure.beadprestige.com udp
US 8.8.8.8:53 mailin-prim2.zih.tu-dresden.de udp
BG 194.153.145.104:587 abv.bg tcp
NL 52.101.73.6:587 pe-schindler-com.mail.protection.outlook.com tcp
DE 141.30.67.65:587 mailin-prim2.zih.tu-dresden.de tcp
US 8.8.8.8:53 aircelcorp.com udp
NL 20.23.151.207:587 epost.de tcp
CA 216.40.34.41:2525 aircelcorp.com tcp
US 8.8.8.8:53 kuego.de udp
NL 20.23.151.207:587 epost.de tcp
DE 217.160.0.130:587 kuego.de tcp
US 8.8.8.8:53 danielbertanihouse.com.br udp
US 8.8.8.8:53 mail.tuft.com udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 smtp.dr-fiechtner.de udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 securesmtp.schranklform.de udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 secure.psl.org.pl udp
US 8.8.8.8:53 publicms1.mail2world.com udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 mail.bresnan.net udp
BR 187.73.192.100:587 danielbertanihouse.com.br tcp
US 158.51.79.243:25 publicms1.mail2world.com tcp
US 47.43.18.10:587 mail.bresnan.net tcp
BE 173.194.76.27:25 aspmx.l.google.com tcp
PL 185.105.143.6:25 secure.psl.org.pl tcp
NL 20.23.151.207:587 epost.de tcp
US 8.8.8.8:53 securesmtp.firstohiobanc.com udp
US 8.8.8.8:53 mail.kimat.be udp
US 8.8.8.8:53 out.escolamultipla.com.br udp
US 8.8.8.8:53 angelmike.nl udp
BG 194.153.145.104:587 abv.bg tcp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 out.worken.com.br udp
US 8.8.8.8:53 mx00.ionos.com udp
NL 20.23.151.207:587 epost.de tcp
DK 91.184.0.200:25 angelmike.nl tcp
US 74.208.5.3:587 mx00.ionos.com tcp
US 8.8.8.8:53 out.greentech5.com udp
US 8.8.8.8:53 cpuonline.com udp
AU 211.29.132.105:587 optusnet.com.au tcp
US 8.8.8.8:53 out.co.uk udp
US 8.8.8.8:53 securesmtp.merzcom.de udp
US 64.91.253.60:587 out.co.uk tcp
US 8.8.8.8:53 securesmtp.teikit.mx udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 yooho.com udp
US 8.8.8.8:53 smtp.mv-hallstadt.de udp
US 8.8.8.8:53 securesmtp.bruynzeelhomeproducts.be udp
US 8.8.8.8:53 oi.com.br udp
BG 194.153.145.104:587 abv.bg tcp
US 13.248.158.7:587 yooho.com tcp
US 8.8.8.8:53 mail.royalfish.de udp
US 8.8.8.8:53 achimkress.de udp
US 8.8.8.8:53 anfitrion.co.uk udp
DE 217.160.0.10:587 achimkress.de tcp
DE 185.53.177.52:587 mail.royalfish.de tcp
US 8.8.8.8:53 out.claniss.it udp
US 8.8.8.8:53 windowslaiv.com udp
BR 187.6.211.40:587 oi.com.br tcp
US 8.8.8.8:53 out.maisrio.com.br udp
NL 20.23.151.207:587 epost.de tcp
US 8.8.8.8:53 securesmtp.espuma-de-cores.pt udp
FR 194.158.122.55:587 smtp.bbox.fr tcp
US 8.8.8.8:53 secure.zonc.eu udp
AU 211.29.132.105:587 optusnet.com.au tcp
US 8.8.8.8:53 smtp.nelkmooeub.com udp
US 8.8.8.8:53 smtp.simcorp.de udp
US 8.8.8.8:53 out.jan-lenhart.de udp
US 8.8.8.8:53 coitt.es udp
ES 90.161.91.233:587 coitt.es tcp
US 8.8.8.8:53 smtp.convergentns.net udp
US 8.8.8.8:53 bkmjk.com udp
US 15.197.148.33:465 bkmjk.com tcp
US 8.8.8.8:53 4wdpartshop.com.au udp
AU 103.138.86.8:25 4wdpartshop.com.au tcp
US 8.8.8.8:53 out.health.sa.gov.au udp
US 8.8.8.8:53 tujzjnhjmhg.de udp
US 8.8.8.8:53 bigpond.net.au udp
AU 139.134.5.153:587 bigpond.net.au tcp
US 8.8.8.8:53 esinet.com udp
US 8.8.8.8:53 secure.duzbkikary.fr udp
US 8.8.8.8:53 out.escem.fr udp
US 13.248.169.48:25 esinet.com tcp
US 8.8.8.8:53 smtp.wmxconsultoria.com.br udp
US 8.8.8.8:53 smtp.x-pack.com.tn udp
US 8.8.8.8:53 secure.einstein-gymnasium-vk.de udp
AU 139.134.5.153:587 bigpond.net.au tcp
US 8.8.8.8:53 out.b2bfoundation4men.org.za udp
US 8.8.8.8:53 smtp.unitel.co.kr udp
KR 27.102.212.199:587 smtp.unitel.co.kr tcp
US 8.8.8.8:53 secure.settlerslife.com udp
US 8.8.8.8:53 mail.aapt.net.au udp
US 8.8.8.8:53 securesmtp.grupo-gladiadores.com.br udp
US 8.8.8.8:53 mail.lantic.net udp
NL 20.23.151.207:587 epost.de tcp
FR 185.65.56.160:465 smtp.convergentns.net tcp
US 8.8.8.8:53 mail.edu.rocmn.nl udp
US 8.8.8.8:53 securesmtp.wberbwq.de udp
GB 40.99.151.146:587 mail.edu.rocmn.nl tcp
ZA 209.203.34.199:587 mail.lantic.net tcp
US 8.8.8.8:53 mail.stacys.org udp
AU 52.62.78.214:587 mail.aapt.net.au tcp
US 8.8.8.8:53 wemo-barbing.de udp
DE 217.160.233.72:587 wemo-barbing.de tcp
US 8.8.8.8:53 mail.higjdiveinc.com udp
US 8.8.8.8:53 mail.queensu.ca udp
CA 20.200.107.80:587 mail.queensu.ca tcp
US 8.8.8.8:53 smtp.ald.lib.co.us udp
US 8.8.8.8:53 mail.edel-lager.de udp
US 8.8.8.8:53 out.haotmaiol.com udp
US 8.8.8.8:53 out.cookingclassprovence.com udp
US 8.8.8.8:53 securesmtp.tusch-online.de udp
US 8.8.8.8:53 smtp.bordeauxshopping.fr udp
US 8.8.8.8:53 securesmtp.asfa.gr udp
US 8.8.8.8:53 tiscali.cz udp
CZ 77.78.119.204:587 tiscali.cz tcp
US 8.8.8.8:53 out.grosspankow.de udp
US 8.8.8.8:53 mail.funenge.com.br udp
US 8.8.8.8:53 smtp.shaw.ca udp
US 108.179.241.226:465 mail.funenge.com.br tcp
US 8.8.8.8:53 out.frankdurnett.com udp
BG 194.153.145.104:587 abv.bg tcp
US 8.8.8.8:53 ureach-com.p40.mxthunder.net udp
US 8.8.8.8:53 smtp.familiewelz.de udp
CA 64.59.128.135:587 smtp.shaw.ca tcp
US 8.8.8.8:53 smtp.faenza.queen.it udp
US 8.8.8.8:53 smtp.ciudad.com.ar udp
AR 200.42.138.135:587 smtp.ciudad.com.ar tcp
US 8.8.8.8:53 giantlake.com.au udp
US 8.8.8.8:53 mail.openhousecleaning.com.au udp
US 8.8.8.8:53 mail.f1clubdebeneficios.org.br udp
CA 216.36.128.174:587 mail.wcgwave.ca tcp
US 8.8.8.8:53 noos.fr udp
VN 42.112.58.212:587 zing.vn tcp
US 8.8.8.8:53 anthem.com udp
US 162.241.60.111:587 mail.f1clubdebeneficios.org.br tcp
US 162.95.221.218:25 anthem.com tcp
US 8.8.8.8:53 mail.gynmeissen.de udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BR 168.0.132.203:587 tcp
BG 194.153.145.104:587 tcp
N/A 85.214.22.240:587 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/2192-0-0x00000000002F0000-0x00000000007AD000-memory.dmp

memory/2192-1-0x0000000077E70000-0x0000000077E72000-memory.dmp

memory/2192-2-0x00000000002F1000-0x000000000031F000-memory.dmp

memory/2192-3-0x00000000002F0000-0x00000000007AD000-memory.dmp

memory/2192-5-0x00000000002F0000-0x00000000007AD000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 e3db5749715032f09380e2b83170df85
SHA1 5eba9270b0a48ffda040d10e08aef49acbb4452d
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
SHA512 682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199

memory/2192-18-0x0000000007020000-0x00000000074DD000-memory.dmp

memory/2192-19-0x0000000007020000-0x00000000074DD000-memory.dmp

memory/2192-17-0x00000000002F0000-0x00000000007AD000-memory.dmp

memory/2560-21-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2560-22-0x0000000000F21000-0x0000000000F4F000-memory.dmp

memory/2560-23-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2560-25-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2560-26-0x0000000000F20000-0x00000000013DD000-memory.dmp

C:\Users\Admin\10000200102\ssystemfiktums.exe

MD5 f398330ff76c75dbaffe5c18078c35e5
SHA1 97c7b2fa744cdf86ce74322f0a683b260e21d188
SHA256 81adc7b98a97b77b6259fe66d9f5919ad55de88ff242637de023ee856a095699
SHA512 69768f2338ceff5e0872ef066201a3b06ad30b31138524d62943982d67dd046a8cd2051a9730a8e81ea93404fddd734fa1c6cab8ccb5689fd343572604c8cb8c

memory/2560-42-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2804-45-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-44-0x0000000006D50000-0x0000000007196000-memory.dmp

memory/2560-43-0x0000000006D50000-0x0000000007196000-memory.dmp

memory/2560-48-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2560-51-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2560-52-0x0000000006D50000-0x0000000007196000-memory.dmp

memory/2560-53-0x0000000006D50000-0x0000000007196000-memory.dmp

memory/2804-54-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2804-55-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-56-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2804-57-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-58-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2804-59-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2036-63-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-62-0x0000000000F20000-0x00000000013DD000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 0d609d898f6575456766030ec13989c8
SHA1 f82d6bb9f5a631efb6f7cfaab6fd6b9cd27a4258
SHA256 8a096200a7a892594368f6904dadaed045c99997bdbd82d45a0a06b5df228ea8
SHA512 01ad9c7f6c6105b71344dba5447886b52f3f52e4544d4fcbd46c0009308b045f072e06b331cfa83a4e03c2c8ce483ed40a8cd12bd8fa83928968401e69d75777

memory/2804-65-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-66-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2036-68-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2804-69-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-70-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2036-71-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2804-72-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2804-73-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2036-75-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-74-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2560-76-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2036-77-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-78-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2036-79-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2036-81-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-80-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2560-82-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2036-83-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-84-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2036-85-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-86-0x0000000000F20000-0x00000000013DD000-memory.dmp

memory/2036-87-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2036-89-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2560-88-0x0000000000F20000-0x00000000013DD000-memory.dmp