Malware Analysis Report

2025-04-03 09:32

Sample ID 250305-rr7qjs1lz6
Target coredrive.exe
SHA256 a7c8390922ecfe4e4be4c9ffff567e91298a8bbf96dc96318305f45ec59f5221
Tags
systembc defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7c8390922ecfe4e4be4c9ffff567e91298a8bbf96dc96318305f45ec59f5221

Threat Level: Known bad

The file coredrive.exe was found to be: Known bad.

Malicious Activity Summary

systembc defense_evasion discovery trojan

SystemBC

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 14:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 14:26

Reported

2025-03-05 14:29

Platform

win7-20241010-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\coredrive.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\kgedb\igfg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\kgedb\igfg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\kgedb\igfg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\kgedb\igfg.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine C:\ProgramData\kgedb\igfg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
N/A N/A C:\ProgramData\kgedb\igfg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kgedb\igfg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
N/A N/A C:\ProgramData\kgedb\igfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kgedb\igfg.exe
PID 2796 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kgedb\igfg.exe
PID 2796 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kgedb\igfg.exe
PID 2796 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\kgedb\igfg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\coredrive.exe

"C:\Users\Admin\AppData\Local\Temp\coredrive.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {731D188C-70B7-44CB-BD59-E8F19DD72745} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]

C:\ProgramData\kgedb\igfg.exe

C:\ProgramData\kgedb\igfg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4227 towerbingobongoboom.com tcp
US 8.8.8.8:53 kadunaelectric.com udp
US 184.154.139.152:587 kadunaelectric.com tcp
US 8.8.8.8:53 smtp.mediacombb.net udp
US 8.8.8.8:53 smtp.hotkey.net.au udp
US 35.175.55.215:587 smtp.mediacombb.net tcp
US 8.8.8.8:53 smtp.ak.em-net.ne.jp udp
AU 203.134.153.84:587 smtp.hotkey.net.au tcp
JP 160.13.60.151:587 smtp.ak.em-net.ne.jp tcp
US 8.8.8.8:53 bestjobs4u.ph udp
AU 203.134.153.84:587 smtp.hotkey.net.au tcp
SG 68.178.225.1:587 bestjobs4u.ph tcp
US 8.8.8.8:53 dheerajawasthi.com udp
DE 136.243.92.92:587 dheerajawasthi.com tcp
US 8.8.8.8:53 smtp.ag.em-net.ne.jp udp
JP 160.13.60.151:587 smtp.ag.em-net.ne.jp tcp
US 8.8.8.8:53 mail.384.jp udp
JP 220.156.64.106:587 mail.384.jp tcp
US 8.8.8.8:53 smtp.iprimus.com.au udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 mail.pm-ms.tepm.jp udp
US 8.8.8.8:53 pmx.oceamail.com udp
JP 220.156.64.109:587 mail.pm-ms.tepm.jp tcp
FR 212.106.102.25:587 pmx.oceamail.com tcp
US 8.8.8.8:53 speroenergyresources.com udp
US 67.20.112.240:587 speroenergyresources.com tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.computerstoreitalia.it udp
US 8.8.8.8:53 smtp.p-rism.nir.jp udp
IT 62.149.128.200:587 smtp.computerstoreitalia.it tcp
JP 220.156.64.109:587 smtp.p-rism.nir.jp tcp
JP 220.156.64.106:587 mail.384.jp tcp
US 8.8.8.8:53 smtp.af.em-net.ne.jp udp
JP 160.13.60.151:587 smtp.af.em-net.ne.jp tcp
US 8.8.8.8:53 smtp.kliksafe.nl udp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
US 8.8.8.8:53 smtp.mediacat.ne.jp udp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
JP 220.156.64.62:587 smtp.mediacat.ne.jp tcp
US 8.8.8.8:53 smtp.ae.em-net.ne.jp udp
JP 160.13.60.151:587 smtp.ae.em-net.ne.jp tcp
US 8.8.8.8:53 mail.onab.go.th udp
TH 203.151.49.112:587 mail.onab.go.th tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.tim.it udp
US 8.8.8.8:53 mail.rk-malaysia.com udp
US 8.8.8.8:53 mail.vip.hr udp
US 8.8.8.8:53 labmeca.com.mx udp
US 8.8.8.8:53 mail.a1net.hr udp
US 8.8.8.8:53 mail.a1net.hr udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.manx.net udp
US 8.8.8.8:53 smtp.frontier.com udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
FR 212.106.102.25:587 pmx.oceamail.com tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
IE 54.220.208.177:587 smtp.manx.net tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
US 35.175.55.215:587 smtp.mediacombb.net tcp
NL 34.141.221.156:587 smtp.tim.it tcp
US 67.23.236.29:587 labmeca.com.mx tcp
US 199.224.64.207:587 smtp.frontier.com tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
MY 103.6.199.122:587 mail.rk-malaysia.com tcp
US 8.8.8.8:53 mail.cbsinternational.net udp
US 208.91.198.55:587 mail.cbsinternational.net tcp
JP 220.156.64.106:587 mail.384.jp tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
NL 34.141.221.156:587 smtp.tim.it tcp
US 8.8.8.8:53 mail.ferreiramartinsimoveis.com.br udp
US 8.8.8.8:53 smtp.zoznam.sk udp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
BR 191.252.112.195:587 mail.ferreiramartinsimoveis.com.br tcp
US 35.175.55.215:587 smtp.mediacombb.net tcp
US 8.8.8.8:53 mail.excise.go.th udp
HR 212.91.113.96:587 mail.a1net.hr tcp
IE 54.220.208.177:587 smtp.manx.net tcp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
TH 61.19.233.20:587 mail.excise.go.th tcp
US 8.8.8.8:53 mail.teamrgm.com udp
US 8.8.8.8:53 ad.cyberhome.ne.jp udp
JP 220.156.64.113:587 ad.cyberhome.ne.jp tcp
US 8.8.8.8:53 mail.vstgrandeur.com udp
US 162.17.81.60:587 mail.teamrgm.com tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 mail.loretel.net udp
US 3.231.246.63:587 mail.loretel.net tcp
IN 103.230.84.74:587 mail.vstgrandeur.com tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
US 8.8.8.8:53 calhaslider.com udp
US 8.8.8.8:53 smtp.md.metrocast.net udp
US 8.8.8.8:53 out.goldenmarketing.co.ug udp
JP 220.156.64.62:587 smtp.mediacat.ne.jp tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 35.175.55.215:587 smtp.mediacombb.net tcp
US 8.8.8.8:53 thefriendsclothing.com udp
JP 220.156.64.106:587 mail.384.jp tcp
IE 54.220.208.177:587 smtp.manx.net tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 mail.grupocimaf.com udp
US 8.8.8.8:53 smtp.procome.mx udp
US 8.8.8.8:53 smtp.legalshieldassociate.com udp
IE 54.220.208.177:587 smtp.manx.net tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
US 8.8.8.8:53 mail.ayamaprojects.co.za udp
AU 203.134.153.84:587 smtp.hotkey.net.au tcp
US 8.8.8.8:53 mail.mcstokes.co.uk udp
US 8.8.8.8:53 smtp.kallnet.fo udp
JP 160.13.60.151:587 smtp.ae.em-net.ne.jp tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.singnet.com.sg udp
SE 142.250.74.174:80 142.250.74.174 tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.ntlworld.com udp
US 8.8.8.8:53 smtp.midco.net udp
JP 220.156.64.113:587 ad.cyberhome.ne.jp tcp
US 8.8.8.8:53 feuerwehr-burgsinn.de udp
US 8.8.8.8:53 mail.vakrangeeconnect.com udp
US 8.8.8.8:53 mail.hot.com udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 mail.venusjewelry.com.tr udp
US 35.175.55.215:587 smtp.mediacombb.net tcp
US 8.8.8.8:53 mail.dit.go.th udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 199.224.64.207:587 smtp.frontier.com tcp
NL 34.141.221.156:587 smtp.tim.it tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
SG 13.250.88.201:587 smtp.singnet.com.sg tcp
NL 84.116.6.22:587 smtp.ntlworld.com tcp
ZA 164.160.91.59:587 mail.ayamaprojects.co.za tcp
US 195.211.99.129:587 mail.hot.com tcp
GB 212.159.9.234:587 mail.mcstokes.co.uk tcp
DE 87.118.120.55:587 feuerwehr-burgsinn.de tcp
FO 80.77.128.29:587 smtp.kallnet.fo tcp
US 34.193.101.34:587 smtp.legalshieldassociate.com tcp
US 38.111.141.40:587 smtp.md.metrocast.net tcp
JP 160.13.60.151:587 smtp.ae.em-net.ne.jp tcp
IE 54.220.208.177:587 smtp.manx.net tcp
US 162.241.203.91:587 calhaslider.com tcp
US 64.98.38.5:587 mail.grupocimaf.com tcp
US 207.210.229.66:587 smtp.procome.mx tcp
US 24.220.0.241:587 smtp.midco.net tcp
TR 185.50.71.90:465 mail.venusjewelry.com.tr tcp
IN 203.187.221.162:587 mail.vakrangeeconnect.com tcp
US 207.38.89.149:587 out.goldenmarketing.co.ug tcp
TH 110.49.61.133:587 mail.dit.go.th tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
IN 209.182.233.77:587 thefriendsclothing.com tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
JP 160.13.60.151:587 smtp.ae.em-net.ne.jp tcp
US 8.8.8.8:53 smtp.tangentinfocom.in udp
US 162.222.225.16:587 smtp.tangentinfocom.in tcp
US 8.8.8.8:53 smtp.mchsi.com udp
US 34.213.176.2:587 smtp.mchsi.com tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 mail.gnrsofttech.com udp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
IE 54.220.208.177:587 smtp.manx.net tcp
NL 34.141.221.156:587 smtp.tim.it tcp
IE 54.220.208.177:587 smtp.manx.net tcp
IE 54.220.208.177:587 smtp.manx.net tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 34.213.176.2:587 smtp.mchsi.com tcp
NL 109.236.92.46:587 mail.gnrsofttech.com tcp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
US 8.8.8.8:53 smtp.bbsyd.dk udp
DK 212.10.10.66:587 smtp.bbsyd.dk tcp
US 8.8.8.8:53 smtp3-rdslink.rcs-rds.ro udp
RO 82.76.254.41:587 smtp3-rdslink.rcs-rds.ro tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
DK 212.10.10.66:587 smtp.bbsyd.dk tcp
US 8.8.8.8:53 smtp.email.it udp
DK 185.138.56.194:587 smtp.email.it tcp
JP 220.156.64.106:587 mail.384.jp tcp
NL 34.141.221.156:587 smtp.tim.it tcp
JP 220.156.64.106:587 mail.384.jp tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
SG 68.178.225.1:587 bestjobs4u.ph tcp
DK 212.10.10.66:587 smtp.bbsyd.dk tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
US 199.224.64.207:587 smtp.frontier.com tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
US 34.213.176.2:587 smtp.mchsi.com tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.ss.em-net.ne.jp udp
NL 34.141.221.156:587 smtp.tim.it tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
JP 160.13.60.151:587 smtp.ss.em-net.ne.jp tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
IE 54.220.208.177:587 smtp.manx.net tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 ab.cyberhome.ne.jp udp
US 34.213.176.2:587 smtp.mchsi.com tcp
US 8.8.8.8:53 mail.quj.tepm.jp udp
US 8.8.8.8:53 mail.ziggo.nl udp
US 8.8.8.8:53 worlddomainlimited.co.ke udp
US 8.8.8.8:53 smtp.ac.em-net.ne.jp udp
US 35.175.55.215:587 smtp.mchsi.com tcp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
US 8.8.8.8:53 smtp.jj.em-net.ne.jp udp
US 8.8.8.8:53 smtp.iprimus.com.au udp
US 8.8.8.8:53 smtp.iprimus.com.au udp
US 8.8.8.8:53 smtp.ad.em-net.ne.jp udp
US 8.8.8.8:53 smtp.ca.em-net.ne.jp udp
JP 160.13.60.151:587 smtp.ca.em-net.ne.jp tcp
US 8.8.8.8:53 smtp.iprimus.com.au udp
US 8.8.8.8:53 smtp.aw.em-net.ne.jp udp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
US 8.8.8.8:53 za.cyberhome.ne.jp udp
US 8.8.8.8:53 smtp.bps.go.id udp
US 8.8.8.8:53 mail.aut.ac.ir udp
NL 84.116.6.3:587 mail.ziggo.nl tcp
JP 220.156.64.111:587 ab.cyberhome.ne.jp tcp
JP 160.13.60.151:587 smtp.aw.em-net.ne.jp tcp
JP 220.156.64.114:587 za.cyberhome.ne.jp tcp
JP 160.13.60.151:587 smtp.aw.em-net.ne.jp tcp
JP 160.13.60.151:587 smtp.aw.em-net.ne.jp tcp
JP 160.13.60.151:587 smtp.aw.em-net.ne.jp tcp
IR 185.211.90.19:587 mail.aut.ac.ir tcp
GB 51.89.254.255:587 worlddomainlimited.co.ke tcp
JP 160.13.60.151:587 smtp.aw.em-net.ne.jp tcp
US 8.8.8.8:53 smtp.metrocast.net udp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
US 34.213.176.2:587 smtp.mchsi.com tcp
JP 220.156.64.109:587 mail.quj.tepm.jp tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
ID 203.123.60.49:587 smtp.bps.go.id tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
JP 160.13.60.151:587 smtp.aw.em-net.ne.jp tcp
US 8.8.8.8:53 smtp.an.em-net.ne.jp udp
JP 160.13.60.151:587 smtp.an.em-net.ne.jp tcp
TH 110.49.61.133:587 mail.dit.go.th tcp
JP 160.13.60.151:587 smtp.an.em-net.ne.jp tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.manx.net udp
US 8.8.8.8:53 smtp.cg.em-net.ne.jp udp
US 8.8.8.8:53 mail.ma.mctv.ne.jp udp
US 8.8.8.8:53 hmanalo.ca udp
US 8.8.8.8:53 boavidachile.cl udp
JP 160.13.60.151:587 smtp.cg.em-net.ne.jp tcp
US 162.241.30.48:587 hmanalo.ca tcp
IE 54.220.208.177:587 smtp.manx.net tcp
AR 200.58.111.96:587 boavidachile.cl tcp
JP 61.122.216.220:587 mail.ma.mctv.ne.jp tcp
US 8.8.8.8:53 smtp.ll.em-net.ne.jp udp
JP 160.13.60.151:587 smtp.ll.em-net.ne.jp tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
DK 212.10.10.66:587 smtp.bbsyd.dk tcp
GB 212.159.9.234:587 mail.mcstokes.co.uk tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
IE 54.220.208.177:587 smtp.manx.net tcp
US 8.8.8.8:53 mail.tzync.com udp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 mail.pm-sf.tepm.jp udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
JP 160.13.60.151:587 smtp.ll.em-net.ne.jp tcp
US 207.210.229.66:587 smtp.procome.mx tcp
SG 13.250.88.201:587 smtp.singnet.com.sg tcp
JP 220.156.64.106:587 mail.384.jp tcp
US 162.213.251.105:587 mail.tzync.com tcp
JP 220.156.64.109:587 mail.pm-sf.tepm.jp tcp
JP 160.13.60.151:587 smtp.ll.em-net.ne.jp tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
IR 185.211.90.19:587 mail.aut.ac.ir tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
US 8.8.8.8:53 lulamy.com udp
US 34.213.176.2:587 smtp.mchsi.com tcp
US 34.213.176.2:587 smtp.mchsi.com tcp
US 8.8.8.8:53 erpiyushsharma.com udp
IE 54.220.208.177:587 smtp.manx.net tcp
JP 220.156.64.113:587 ad.cyberhome.ne.jp tcp
US 8.8.8.8:53 mail.maximumproje.com.tr udp
US 8.8.8.8:53 elsoftnig.com udp
US 8.8.8.8:53 cotquilmes.com.ar udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.imoveisdaserra.com udp
US 8.8.8.8:53 mail.nwct.gr.jp udp
US 8.8.8.8:53 smtp.muhammadiah.com udp
US 35.175.55.215:587 smtp.mchsi.com tcp
IE 54.220.208.177:587 smtp.manx.net tcp
DK 212.10.10.66:587 smtp.bbsyd.dk tcp
US 8.8.8.8:53 smtp.lrs.co.id udp
US 34.213.176.2:587 smtp.mchsi.com tcp
US 8.8.8.8:53 smtp.stofanet.dk udp
US 8.8.8.8:53 vienthongtin.com udp
US 8.8.8.8:53 mail.satrianusantarasakti.com udp
NL 34.141.221.156:587 smtp.tim.it tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
BR 138.118.172.244:587 smtp.imoveisdaserra.com tcp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
IT 62.149.128.201:587 smtp.muhammadiah.com tcp
PL 188.210.221.84:587 lulamy.com tcp
TR 77.245.159.43:587 mail.maximumproje.com.tr tcp
US 208.91.199.242:587 elsoftnig.com tcp
US 162.222.225.198:587 erpiyushsharma.com tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.ah.em-net.ne.jp udp
AR 200.58.111.98:587 cotquilmes.com.ar tcp
JP 220.156.64.104:587 mail.nwct.gr.jp tcp
JP 160.13.60.151:587 smtp.ah.em-net.ne.jp tcp
ID 103.163.138.45:587 mail.satrianusantarasakti.com tcp
VN 183.81.13.223:587 vienthongtin.com tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
JP 160.13.60.151:587 smtp.ah.em-net.ne.jp tcp
ID 103.78.37.253:587 smtp.lrs.co.id tcp
IE 54.220.208.177:587 smtp.manx.net tcp
IE 54.220.208.177:587 smtp.manx.net tcp
TH 110.49.61.133:587 mail.dit.go.th tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
IE 54.220.208.177:587 smtp.manx.net tcp
JP 160.13.60.151:587 smtp.ah.em-net.ne.jp tcp
US 8.8.8.8:53 mail.katch.ne.jp udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
JP 160.13.60.151:587 smtp.ah.em-net.ne.jp tcp
IE 54.220.208.177:587 smtp.manx.net tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
IE 54.220.208.177:587 smtp.manx.net tcp
DK 212.10.10.66:587 smtp.bbsyd.dk tcp
IT 62.241.4.194:25 smtp-as.postecert.it tcp
JP 220.156.64.5:587 mail.katch.ne.jp tcp
US 34.213.176.2:587 smtp.mchsi.com tcp
US 8.8.8.8:53 correo.ugr.es udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 mail.ueda.ne.jp udp
RO 82.76.254.41:587 smtp3-rdslink.rcs-rds.ro tcp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
US 8.8.8.8:53 mail.icslprojects.co.uk udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 aa.cyberhome.ne.jp udp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
US 8.8.8.8:53 smtp.nifty.ne.jp udp
US 8.8.8.8:53 smtp.rr.em-net.ne.jp udp
US 8.8.8.8:53 smtp.ax.em-net.ne.jp udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
ES 150.214.204.12:587 correo.ugr.es tcp
JP 220.156.64.110:587 aa.cyberhome.ne.jp tcp
JP 106.153.227.2:587 smtp.nifty.ne.jp tcp
JP 160.13.60.151:587 smtp.ax.em-net.ne.jp tcp
JP 160.13.60.151:587 smtp.ax.em-net.ne.jp tcp
US 192.254.183.6:587 mail.icslprojects.co.uk tcp
JP 220.156.64.123:587 mail.ueda.ne.jp tcp
US 8.8.8.8:53 adltechnologies.com udp
US 173.254.29.122:587 adltechnologies.com tcp
US 8.8.8.8:53 smtp.hotkey.net.au udp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 67.23.236.29:587 labmeca.com.mx tcp
SG 13.250.88.201:587 smtp.singnet.com.sg tcp
JP 160.13.60.151:587 smtp.ax.em-net.ne.jp tcp
US 8.8.8.8:53 mail.bstsandassociates.com udp
US 8.8.8.8:53 mail.mctv.ne.jp udp
IE 54.220.208.177:587 smtp.manx.net tcp
FR 212.106.102.25:587 pmx.oceamail.com tcp
US 8.8.8.8:53 mail.grupoaraujopneus.com.br udp
US 8.8.8.8:53 smtp.free.fr udp
JP 160.13.60.151:587 smtp.ax.em-net.ne.jp tcp
US 8.8.8.8:53 smtp.ar.em-net.ne.jp udp
TR 185.50.71.90:465 mail.venusjewelry.com.tr tcp
US 8.8.8.8:53 smtp.ia103.com udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
JP 160.13.60.151:587 smtp.ar.em-net.ne.jp tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
DK 212.10.10.66:587 smtp.bbsyd.dk tcp
TH 203.151.49.112:587 mail.onab.go.th tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 portepetit.com udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
JP 220.156.64.106:587 mail.384.jp tcp
JP 220.156.64.114:587 za.cyberhome.ne.jp tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
JP 160.13.60.151:587 smtp.ar.em-net.ne.jp tcp
FR 212.27.48.4:587 smtp.free.fr tcp
TH 147.50.60.181:587 smtp.ia103.com tcp
JP 160.13.60.151:587 smtp.ar.em-net.ne.jp tcp
US 192.185.92.215:587 portepetit.com tcp
US 50.87.145.217:587 mail.bstsandassociates.com tcp
JP 61.122.216.220:587 mail.mctv.ne.jp tcp
AU 203.134.153.84:587 smtp.hotkey.net.au tcp
BR 191.6.216.63:587 mail.grupoaraujopneus.com.br tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 mail.anachron-circle.com udp
US 8.8.8.8:53 mail.gcn.ua udp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 mx2.cock.li udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 34.213.176.2:587 smtp.mchsi.com tcp
US 8.8.8.8:53 smtp.mr.nir.jp udp
RS 37.120.193.123:587 mx2.cock.li tcp
DE 202.61.232.54:587 mail.anachron-circle.com tcp
UA 91.192.136.48:587 mail.gcn.ua tcp
JP 220.156.64.109:587 smtp.mr.nir.jp tcp
US 184.154.139.152:587 kadunaelectric.com tcp
US 8.8.8.8:53 smtp.kpnmail.nl udp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
US 24.220.0.241:587 smtp.midco.net tcp
US 8.8.8.8:53 smtp.metrocast.net udp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
AU 203.134.153.82:587 smtp.iprimus.com.au tcp
IE 54.220.208.177:587 smtp.manx.net tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
NL 195.121.65.26:587 smtp.kpnmail.nl tcp
US 38.111.141.40:587 smtp.metrocast.net tcp
US 8.8.8.8:53 smtp.iprimus.com.au udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 matelcomti.com udp
DE 139.162.173.115:587 matelcomti.com tcp
NL 34.141.221.156:587 smtp.tim.it tcp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
US 8.8.8.8:53 securesmtp.t-online.de udp
US 8.8.8.8:53 cargoxel.com udp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
JP 220.156.64.62:587 smtp.mediacat.ne.jp tcp
US 8.8.8.8:53 smtp.kliksafe.nl udp
US 8.8.8.8:53 mail.bp2mi.go.id udp
US 8.8.8.8:53 smtp.am.em-net.ne.jp udp
HR 212.91.113.96:587 mail.a1net.hr tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 mail.healtheversity.com udp
US 8.8.8.8:53 smtp.kliksafe.nl udp
IE 54.220.208.177:587 smtp.manx.net tcp
JP 160.13.60.151:587 smtp.am.em-net.ne.jp tcp
US 8.8.8.8:53 smtp.bp2mi.go.id udp
JP 61.122.216.220:587 mail.mctv.ne.jp tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
NL 34.141.221.156:587 smtp.tim.it tcp
IE 54.220.208.177:587 smtp.manx.net tcp
US 8.8.8.8:53 smtp.frontier.com udp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
US 8.8.8.8:53 ctechn.com udp
US 8.8.8.8:53 sebastianjayametal.com udp
US 8.8.8.8:53 smtp.frontier.com udp
US 8.8.8.8:53 jcruizvideos.com udp
JP 220.156.64.106:587 mail.384.jp tcp
JP 160.13.60.151:587 smtp.am.em-net.ne.jp tcp
DE 194.25.134.110:587 securesmtp.t-online.de tcp
JP 160.13.60.151:587 smtp.am.em-net.ne.jp tcp
US 208.91.199.230:587 cargoxel.com tcp
US 192.185.36.110:587 mail.healtheversity.com tcp
GB 82.20.162.210:587 ctechn.com tcp
US 162.144.22.57:587 jcruizvideos.com tcp
IE 176.34.232.61:587 smtp.kliksafe.nl tcp
IE 34.249.248.164:587 smtp.kliksafe.nl tcp
US 199.224.64.207:587 smtp.frontier.com tcp
US 199.224.64.207:587 smtp.frontier.com tcp
ID 103.170.105.14:587 smtp.bp2mi.go.id tcp
ID 103.170.105.14:587 smtp.bp2mi.go.id tcp
SG 23.106.52.199:587 sebastianjayametal.com tcp
US 8.8.8.8:53 smtp.visscher-caravelle.info udp
UA 91.192.136.48:587 mail.gcn.ua tcp
PL 46.242.240.243:587 smtp.visscher-caravelle.info tcp
US 8.8.8.8:53 smtp.wizard.com.br udp
HR 212.91.113.96:587 mail.a1net.hr tcp
JP 220.156.64.106:587 mail.384.jp tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
US 8.8.8.8:53 smtp.nn.em-net.ne.jp udp
US 8.8.8.8:53 mail.kliksafe.nl udp
HR 212.91.113.96:587 mail.a1net.hr tcp
DK 212.10.10.65:587 smtp.stofanet.dk tcp
DK 212.10.10.66:587 smtp.bbsyd.dk tcp
US 35.175.55.215:587 smtp.mchsi.com tcp
SK 213.81.185.108:587 smtp.zoznam.sk tcp
IE 54.220.208.177:587 smtp.manx.net tcp
IE 176.34.232.61:587 mail.kliksafe.nl tcp
US 8.8.8.8:53 smtp.online.nl udp
IE 54.220.208.177:587 smtp.manx.net tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
AU 203.134.71.82:587 smtp.iprimus.com.au tcp
HR 212.91.113.96:587 mail.a1net.hr tcp
IE 54.220.208.177:587 smtp.manx.net tcp
US 34.213.176.2:587 smtp.mchsi.com tcp
JP 61.122.216.220:587 mail.mctv.ne.jp tcp
US 8.8.8.8:53 mail.mak.ac.ug udp
JP 160.13.60.151:587 smtp.nn.em-net.ne.jp tcp
IE 176.34.232.61:587 mail.kliksafe.nl tcp
BR 179.188.29.69:587 smtp.wizard.com.br tcp
UG 196.43.133.28:587 mail.mak.ac.ug tcp

Files

memory/1812-0-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-1-0x00000000774D0000-0x00000000774D2000-memory.dmp

memory/1812-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/1812-4-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-6-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-7-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-8-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-9-0x0000000000400000-0x0000000000823000-memory.dmp

C:\ProgramData\kgedb\igfg.exe

MD5 c6a399eb155322a8cbf1390c118553cb
SHA1 c59b0aa34638e8991358520e29625bb7fb4e3b6b
SHA256 a7c8390922ecfe4e4be4c9ffff567e91298a8bbf96dc96318305f45ec59f5221
SHA512 6437b6ea8990130f8e69b113f6ec8310e8831a80a2cf7ef1d8d16b323729a89c4a00a8900030e77f5671a7a40971e519731ec22519d98d7af29577dcb5dfe44e

memory/2904-12-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-13-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 df9d2178e626c597a5cf0a51b5ce38b3
SHA1 b52431520491936688d4c48d4ed820fa2eaee5d1
SHA256 b17547bf57baed3d1c08cc5a84fccefd394affbdc912a74efc19ded10d66ec08
SHA512 f5e0a4ef6be0421413cfae340030f6754690b1adabdff6e6a57846aff93a24e39b98cd99e8284d9dc5ae9e8c601744cf7ffc2dd91748e4e1ca4d0c90093eed8f

memory/2904-14-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-16-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-17-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-18-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-19-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-20-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-21-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-22-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-23-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-24-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-25-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-26-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-28-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-29-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-30-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-31-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-32-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-33-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-34-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-35-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-36-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-37-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-38-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2904-39-0x0000000000400000-0x0000000000823000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 14:26

Reported

2025-03-05 14:29

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\coredrive.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\jjle\qbhrwp.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\jjle\qbhrwp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\jjle\qbhrwp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jjle\qbhrwp.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine C:\ProgramData\jjle\qbhrwp.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
N/A N/A C:\ProgramData\jjle\qbhrwp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\jjle\qbhrwp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coredrive.exe N/A
N/A N/A C:\ProgramData\jjle\qbhrwp.exe N/A
N/A N/A C:\ProgramData\jjle\qbhrwp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\coredrive.exe

"C:\Users\Admin\AppData\Local\Temp\coredrive.exe"

C:\ProgramData\jjle\qbhrwp.exe

C:\ProgramData\jjle\qbhrwp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
GB 2.16.34.50:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4249 towerbingobongoboom.com tcp
SE 142.250.74.174:80 142.250.74.174 tcp
US 104.18.35.25:443 tcp

Files

memory/456-0-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-1-0x0000000077454000-0x0000000077456000-memory.dmp

memory/456-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/456-3-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-6-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-7-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-8-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-9-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-10-0x0000000000400000-0x0000000000823000-memory.dmp

C:\ProgramData\jjle\qbhrwp.exe

MD5 c6a399eb155322a8cbf1390c118553cb
SHA1 c59b0aa34638e8991358520e29625bb7fb4e3b6b
SHA256 a7c8390922ecfe4e4be4c9ffff567e91298a8bbf96dc96318305f45ec59f5221
SHA512 6437b6ea8990130f8e69b113f6ec8310e8831a80a2cf7ef1d8d16b323729a89c4a00a8900030e77f5671a7a40971e519731ec22519d98d7af29577dcb5dfe44e

memory/1156-13-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-14-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 ee6b447f68cc41c0debb6307b42698b8
SHA1 5831b03201c52c621fa88f9cc8efec8eb84bf61f
SHA256 81879c88526d192a94ff39277a5e59da06fc1487315340f2eec1ab33f07b201c
SHA512 ef36812bebc0f33b664f70f2e167b21a68f50f21ac684b8ecac86e32ddb876b2f58360098353369ddd568d014de5e3f6c94b7102aa73352b70000dccccbf1cc7

memory/456-16-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-17-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-18-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-19-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-20-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-21-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-22-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-23-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-24-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-25-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-26-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-27-0x0000000000400000-0x0000000000823000-memory.dmp

memory/456-28-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-29-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-30-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-31-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-32-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-33-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-34-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-35-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-36-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1156-37-0x0000000000400000-0x0000000000823000-memory.dmp