Analysis Overview
SHA256
a7c8390922ecfe4e4be4c9ffff567e91298a8bbf96dc96318305f45ec59f5221
Threat Level: Known bad
The file coredrive.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Identifies Wine through registry keys
Checks BIOS information in registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-05 14:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 14:26
Reported
2025-03-05 14:29
Platform
win7-20241010-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\kgedb\igfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\kgedb\igfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\kgedb\igfg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\kgedb\igfg.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine | C:\ProgramData\kgedb\igfg.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| N/A | N/A | C:\ProgramData\kgedb\igfg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\kgedb\igfg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| N/A | N/A | C:\ProgramData\kgedb\igfg.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2796 wrote to memory of 2904 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\kgedb\igfg.exe |
| PID 2796 wrote to memory of 2904 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\kgedb\igfg.exe |
| PID 2796 wrote to memory of 2904 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\kgedb\igfg.exe |
| PID 2796 wrote to memory of 2904 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\kgedb\igfg.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\coredrive.exe
"C:\Users\Admin\AppData\Local\Temp\coredrive.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {731D188C-70B7-44CB-BD59-E8F19DD72745} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
C:\ProgramData\kgedb\igfg.exe
C:\ProgramData\kgedb\igfg.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4227 | towerbingobongoboom.com | tcp |
| US | 8.8.8.8:53 | kadunaelectric.com | udp |
| US | 184.154.139.152:587 | kadunaelectric.com | tcp |
| US | 8.8.8.8:53 | smtp.mediacombb.net | udp |
| US | 8.8.8.8:53 | smtp.hotkey.net.au | udp |
| US | 35.175.55.215:587 | smtp.mediacombb.net | tcp |
| US | 8.8.8.8:53 | smtp.ak.em-net.ne.jp | udp |
| AU | 203.134.153.84:587 | smtp.hotkey.net.au | tcp |
| JP | 160.13.60.151:587 | smtp.ak.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | bestjobs4u.ph | udp |
| AU | 203.134.153.84:587 | smtp.hotkey.net.au | tcp |
| SG | 68.178.225.1:587 | bestjobs4u.ph | tcp |
| US | 8.8.8.8:53 | dheerajawasthi.com | udp |
| DE | 136.243.92.92:587 | dheerajawasthi.com | tcp |
| US | 8.8.8.8:53 | smtp.ag.em-net.ne.jp | udp |
| JP | 160.13.60.151:587 | smtp.ag.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | mail.384.jp | udp |
| JP | 220.156.64.106:587 | mail.384.jp | tcp |
| US | 8.8.8.8:53 | smtp.iprimus.com.au | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | mail.pm-ms.tepm.jp | udp |
| US | 8.8.8.8:53 | pmx.oceamail.com | udp |
| JP | 220.156.64.109:587 | mail.pm-ms.tepm.jp | tcp |
| FR | 212.106.102.25:587 | pmx.oceamail.com | tcp |
| US | 8.8.8.8:53 | speroenergyresources.com | udp |
| US | 67.20.112.240:587 | speroenergyresources.com | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | smtp.computerstoreitalia.it | udp |
| US | 8.8.8.8:53 | smtp.p-rism.nir.jp | udp |
| IT | 62.149.128.200:587 | smtp.computerstoreitalia.it | tcp |
| JP | 220.156.64.109:587 | smtp.p-rism.nir.jp | tcp |
| JP | 220.156.64.106:587 | mail.384.jp | tcp |
| US | 8.8.8.8:53 | smtp.af.em-net.ne.jp | udp |
| JP | 160.13.60.151:587 | smtp.af.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | smtp.kliksafe.nl | udp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| US | 8.8.8.8:53 | smtp.mediacat.ne.jp | udp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| JP | 220.156.64.62:587 | smtp.mediacat.ne.jp | tcp |
| US | 8.8.8.8:53 | smtp.ae.em-net.ne.jp | udp |
| JP | 160.13.60.151:587 | smtp.ae.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | mail.onab.go.th | udp |
| TH | 203.151.49.112:587 | mail.onab.go.th | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | smtp.tim.it | udp |
| US | 8.8.8.8:53 | mail.rk-malaysia.com | udp |
| US | 8.8.8.8:53 | mail.vip.hr | udp |
| US | 8.8.8.8:53 | labmeca.com.mx | udp |
| US | 8.8.8.8:53 | mail.a1net.hr | udp |
| US | 8.8.8.8:53 | mail.a1net.hr | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | smtp.manx.net | udp |
| US | 8.8.8.8:53 | smtp.frontier.com | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| FR | 212.106.102.25:587 | pmx.oceamail.com | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| US | 35.175.55.215:587 | smtp.mediacombb.net | tcp |
| NL | 34.141.221.156:587 | smtp.tim.it | tcp |
| US | 67.23.236.29:587 | labmeca.com.mx | tcp |
| US | 199.224.64.207:587 | smtp.frontier.com | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| MY | 103.6.199.122:587 | mail.rk-malaysia.com | tcp |
| US | 8.8.8.8:53 | mail.cbsinternational.net | udp |
| US | 208.91.198.55:587 | mail.cbsinternational.net | tcp |
| JP | 220.156.64.106:587 | mail.384.jp | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| NL | 34.141.221.156:587 | smtp.tim.it | tcp |
| US | 8.8.8.8:53 | mail.ferreiramartinsimoveis.com.br | udp |
| US | 8.8.8.8:53 | smtp.zoznam.sk | udp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| BR | 191.252.112.195:587 | mail.ferreiramartinsimoveis.com.br | tcp |
| US | 35.175.55.215:587 | smtp.mediacombb.net | tcp |
| US | 8.8.8.8:53 | mail.excise.go.th | udp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| TH | 61.19.233.20:587 | mail.excise.go.th | tcp |
| US | 8.8.8.8:53 | mail.teamrgm.com | udp |
| US | 8.8.8.8:53 | ad.cyberhome.ne.jp | udp |
| JP | 220.156.64.113:587 | ad.cyberhome.ne.jp | tcp |
| US | 8.8.8.8:53 | mail.vstgrandeur.com | udp |
| US | 162.17.81.60:587 | mail.teamrgm.com | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | mail.loretel.net | udp |
| US | 3.231.246.63:587 | mail.loretel.net | tcp |
| IN | 103.230.84.74:587 | mail.vstgrandeur.com | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| US | 8.8.8.8:53 | calhaslider.com | udp |
| US | 8.8.8.8:53 | smtp.md.metrocast.net | udp |
| US | 8.8.8.8:53 | out.goldenmarketing.co.ug | udp |
| JP | 220.156.64.62:587 | smtp.mediacat.ne.jp | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 35.175.55.215:587 | smtp.mediacombb.net | tcp |
| US | 8.8.8.8:53 | thefriendsclothing.com | udp |
| JP | 220.156.64.106:587 | mail.384.jp | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | mail.grupocimaf.com | udp |
| US | 8.8.8.8:53 | smtp.procome.mx | udp |
| US | 8.8.8.8:53 | smtp.legalshieldassociate.com | udp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| US | 8.8.8.8:53 | mail.ayamaprojects.co.za | udp |
| AU | 203.134.153.84:587 | smtp.hotkey.net.au | tcp |
| US | 8.8.8.8:53 | mail.mcstokes.co.uk | udp |
| US | 8.8.8.8:53 | smtp.kallnet.fo | udp |
| JP | 160.13.60.151:587 | smtp.ae.em-net.ne.jp | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | smtp.singnet.com.sg | udp |
| SE | 142.250.74.174:80 | 142.250.74.174 | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | smtp.ntlworld.com | udp |
| US | 8.8.8.8:53 | smtp.midco.net | udp |
| JP | 220.156.64.113:587 | ad.cyberhome.ne.jp | tcp |
| US | 8.8.8.8:53 | feuerwehr-burgsinn.de | udp |
| US | 8.8.8.8:53 | mail.vakrangeeconnect.com | udp |
| US | 8.8.8.8:53 | mail.hot.com | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | mail.venusjewelry.com.tr | udp |
| US | 35.175.55.215:587 | smtp.mediacombb.net | tcp |
| US | 8.8.8.8:53 | mail.dit.go.th | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 199.224.64.207:587 | smtp.frontier.com | tcp |
| NL | 34.141.221.156:587 | smtp.tim.it | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| SG | 13.250.88.201:587 | smtp.singnet.com.sg | tcp |
| NL | 84.116.6.22:587 | smtp.ntlworld.com | tcp |
| ZA | 164.160.91.59:587 | mail.ayamaprojects.co.za | tcp |
| US | 195.211.99.129:587 | mail.hot.com | tcp |
| GB | 212.159.9.234:587 | mail.mcstokes.co.uk | tcp |
| DE | 87.118.120.55:587 | feuerwehr-burgsinn.de | tcp |
| FO | 80.77.128.29:587 | smtp.kallnet.fo | tcp |
| US | 34.193.101.34:587 | smtp.legalshieldassociate.com | tcp |
| US | 38.111.141.40:587 | smtp.md.metrocast.net | tcp |
| JP | 160.13.60.151:587 | smtp.ae.em-net.ne.jp | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| US | 162.241.203.91:587 | calhaslider.com | tcp |
| US | 64.98.38.5:587 | mail.grupocimaf.com | tcp |
| US | 207.210.229.66:587 | smtp.procome.mx | tcp |
| US | 24.220.0.241:587 | smtp.midco.net | tcp |
| TR | 185.50.71.90:465 | mail.venusjewelry.com.tr | tcp |
| IN | 203.187.221.162:587 | mail.vakrangeeconnect.com | tcp |
| US | 207.38.89.149:587 | out.goldenmarketing.co.ug | tcp |
| TH | 110.49.61.133:587 | mail.dit.go.th | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| IN | 209.182.233.77:587 | thefriendsclothing.com | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| JP | 160.13.60.151:587 | smtp.ae.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | smtp.tangentinfocom.in | udp |
| US | 162.222.225.16:587 | smtp.tangentinfocom.in | tcp |
| US | 8.8.8.8:53 | smtp.mchsi.com | udp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | mail.gnrsofttech.com | udp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| NL | 34.141.221.156:587 | smtp.tim.it | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| NL | 109.236.92.46:587 | mail.gnrsofttech.com | tcp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| US | 8.8.8.8:53 | smtp.bbsyd.dk | udp |
| DK | 212.10.10.66:587 | smtp.bbsyd.dk | tcp |
| US | 8.8.8.8:53 | smtp3-rdslink.rcs-rds.ro | udp |
| RO | 82.76.254.41:587 | smtp3-rdslink.rcs-rds.ro | tcp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| DK | 212.10.10.66:587 | smtp.bbsyd.dk | tcp |
| US | 8.8.8.8:53 | smtp.email.it | udp |
| DK | 185.138.56.194:587 | smtp.email.it | tcp |
| JP | 220.156.64.106:587 | mail.384.jp | tcp |
| NL | 34.141.221.156:587 | smtp.tim.it | tcp |
| JP | 220.156.64.106:587 | mail.384.jp | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| SG | 68.178.225.1:587 | bestjobs4u.ph | tcp |
| DK | 212.10.10.66:587 | smtp.bbsyd.dk | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| US | 199.224.64.207:587 | smtp.frontier.com | tcp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | smtp.ss.em-net.ne.jp | udp |
| NL | 34.141.221.156:587 | smtp.tim.it | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| JP | 160.13.60.151:587 | smtp.ss.em-net.ne.jp | tcp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| US | 8.8.8.8:53 | ab.cyberhome.ne.jp | udp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| US | 8.8.8.8:53 | mail.quj.tepm.jp | udp |
| US | 8.8.8.8:53 | mail.ziggo.nl | udp |
| US | 8.8.8.8:53 | worlddomainlimited.co.ke | udp |
| US | 8.8.8.8:53 | smtp.ac.em-net.ne.jp | udp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| US | 8.8.8.8:53 | smtp.jj.em-net.ne.jp | udp |
| US | 8.8.8.8:53 | smtp.iprimus.com.au | udp |
| US | 8.8.8.8:53 | smtp.iprimus.com.au | udp |
| US | 8.8.8.8:53 | smtp.ad.em-net.ne.jp | udp |
| US | 8.8.8.8:53 | smtp.ca.em-net.ne.jp | udp |
| JP | 160.13.60.151:587 | smtp.ca.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | smtp.iprimus.com.au | udp |
| US | 8.8.8.8:53 | smtp.aw.em-net.ne.jp | udp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| US | 8.8.8.8:53 | za.cyberhome.ne.jp | udp |
| US | 8.8.8.8:53 | smtp.bps.go.id | udp |
| US | 8.8.8.8:53 | mail.aut.ac.ir | udp |
| NL | 84.116.6.3:587 | mail.ziggo.nl | tcp |
| JP | 220.156.64.111:587 | ab.cyberhome.ne.jp | tcp |
| JP | 160.13.60.151:587 | smtp.aw.em-net.ne.jp | tcp |
| JP | 220.156.64.114:587 | za.cyberhome.ne.jp | tcp |
| JP | 160.13.60.151:587 | smtp.aw.em-net.ne.jp | tcp |
| JP | 160.13.60.151:587 | smtp.aw.em-net.ne.jp | tcp |
| JP | 160.13.60.151:587 | smtp.aw.em-net.ne.jp | tcp |
| IR | 185.211.90.19:587 | mail.aut.ac.ir | tcp |
| GB | 51.89.254.255:587 | worlddomainlimited.co.ke | tcp |
| JP | 160.13.60.151:587 | smtp.aw.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | smtp.metrocast.net | udp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| JP | 220.156.64.109:587 | mail.quj.tepm.jp | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| AU | 203.134.153.82:587 | smtp.iprimus.com.au | tcp |
| ID | 203.123.60.49:587 | smtp.bps.go.id | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| JP | 160.13.60.151:587 | smtp.aw.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | smtp.an.em-net.ne.jp | udp |
| JP | 160.13.60.151:587 | smtp.an.em-net.ne.jp | tcp |
| TH | 110.49.61.133:587 | mail.dit.go.th | tcp |
| JP | 160.13.60.151:587 | smtp.an.em-net.ne.jp | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | smtp.manx.net | udp |
| US | 8.8.8.8:53 | smtp.cg.em-net.ne.jp | udp |
| US | 8.8.8.8:53 | mail.ma.mctv.ne.jp | udp |
| US | 8.8.8.8:53 | hmanalo.ca | udp |
| US | 8.8.8.8:53 | boavidachile.cl | udp |
| JP | 160.13.60.151:587 | smtp.cg.em-net.ne.jp | tcp |
| US | 162.241.30.48:587 | hmanalo.ca | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| AR | 200.58.111.96:587 | boavidachile.cl | tcp |
| JP | 61.122.216.220:587 | mail.ma.mctv.ne.jp | tcp |
| US | 8.8.8.8:53 | smtp.ll.em-net.ne.jp | udp |
| JP | 160.13.60.151:587 | smtp.ll.em-net.ne.jp | tcp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| DK | 212.10.10.66:587 | smtp.bbsyd.dk | tcp |
| GB | 212.159.9.234:587 | mail.mcstokes.co.uk | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| US | 8.8.8.8:53 | mail.tzync.com | udp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | mail.pm-sf.tepm.jp | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| JP | 160.13.60.151:587 | smtp.ll.em-net.ne.jp | tcp |
| US | 207.210.229.66:587 | smtp.procome.mx | tcp |
| SG | 13.250.88.201:587 | smtp.singnet.com.sg | tcp |
| JP | 220.156.64.106:587 | mail.384.jp | tcp |
| US | 162.213.251.105:587 | mail.tzync.com | tcp |
| JP | 220.156.64.109:587 | mail.pm-sf.tepm.jp | tcp |
| JP | 160.13.60.151:587 | smtp.ll.em-net.ne.jp | tcp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| IR | 185.211.90.19:587 | mail.aut.ac.ir | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| US | 8.8.8.8:53 | lulamy.com | udp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| US | 8.8.8.8:53 | erpiyushsharma.com | udp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| JP | 220.156.64.113:587 | ad.cyberhome.ne.jp | tcp |
| US | 8.8.8.8:53 | mail.maximumproje.com.tr | udp |
| US | 8.8.8.8:53 | elsoftnig.com | udp |
| US | 8.8.8.8:53 | cotquilmes.com.ar | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | smtp.imoveisdaserra.com | udp |
| US | 8.8.8.8:53 | mail.nwct.gr.jp | udp |
| US | 8.8.8.8:53 | smtp.muhammadiah.com | udp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| DK | 212.10.10.66:587 | smtp.bbsyd.dk | tcp |
| US | 8.8.8.8:53 | smtp.lrs.co.id | udp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| US | 8.8.8.8:53 | smtp.stofanet.dk | udp |
| US | 8.8.8.8:53 | vienthongtin.com | udp |
| US | 8.8.8.8:53 | mail.satrianusantarasakti.com | udp |
| NL | 34.141.221.156:587 | smtp.tim.it | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| BR | 138.118.172.244:587 | smtp.imoveisdaserra.com | tcp |
| DK | 212.10.10.65:587 | smtp.stofanet.dk | tcp |
| IT | 62.149.128.201:587 | smtp.muhammadiah.com | tcp |
| PL | 188.210.221.84:587 | lulamy.com | tcp |
| TR | 77.245.159.43:587 | mail.maximumproje.com.tr | tcp |
| US | 208.91.199.242:587 | elsoftnig.com | tcp |
| US | 162.222.225.198:587 | erpiyushsharma.com | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | smtp.ah.em-net.ne.jp | udp |
| AR | 200.58.111.98:587 | cotquilmes.com.ar | tcp |
| JP | 220.156.64.104:587 | mail.nwct.gr.jp | tcp |
| JP | 160.13.60.151:587 | smtp.ah.em-net.ne.jp | tcp |
| ID | 103.163.138.45:587 | mail.satrianusantarasakti.com | tcp |
| VN | 183.81.13.223:587 | vienthongtin.com | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| JP | 160.13.60.151:587 | smtp.ah.em-net.ne.jp | tcp |
| ID | 103.78.37.253:587 | smtp.lrs.co.id | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| TH | 110.49.61.133:587 | mail.dit.go.th | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| JP | 160.13.60.151:587 | smtp.ah.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | mail.katch.ne.jp | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| JP | 160.13.60.151:587 | smtp.ah.em-net.ne.jp | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| DK | 212.10.10.66:587 | smtp.bbsyd.dk | tcp |
| IT | 62.241.4.194:25 | smtp-as.postecert.it | tcp |
| JP | 220.156.64.5:587 | mail.katch.ne.jp | tcp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| US | 8.8.8.8:53 | correo.ugr.es | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | mail.ueda.ne.jp | udp |
| RO | 82.76.254.41:587 | smtp3-rdslink.rcs-rds.ro | tcp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| US | 8.8.8.8:53 | mail.icslprojects.co.uk | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| US | 8.8.8.8:53 | aa.cyberhome.ne.jp | udp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| US | 8.8.8.8:53 | smtp.nifty.ne.jp | udp |
| US | 8.8.8.8:53 | smtp.rr.em-net.ne.jp | udp |
| US | 8.8.8.8:53 | smtp.ax.em-net.ne.jp | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| ES | 150.214.204.12:587 | correo.ugr.es | tcp |
| JP | 220.156.64.110:587 | aa.cyberhome.ne.jp | tcp |
| JP | 106.153.227.2:587 | smtp.nifty.ne.jp | tcp |
| JP | 160.13.60.151:587 | smtp.ax.em-net.ne.jp | tcp |
| JP | 160.13.60.151:587 | smtp.ax.em-net.ne.jp | tcp |
| US | 192.254.183.6:587 | mail.icslprojects.co.uk | tcp |
| JP | 220.156.64.123:587 | mail.ueda.ne.jp | tcp |
| US | 8.8.8.8:53 | adltechnologies.com | udp |
| US | 173.254.29.122:587 | adltechnologies.com | tcp |
| US | 8.8.8.8:53 | smtp.hotkey.net.au | udp |
| DK | 212.10.10.65:587 | smtp.stofanet.dk | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 67.23.236.29:587 | labmeca.com.mx | tcp |
| SG | 13.250.88.201:587 | smtp.singnet.com.sg | tcp |
| JP | 160.13.60.151:587 | smtp.ax.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | mail.bstsandassociates.com | udp |
| US | 8.8.8.8:53 | mail.mctv.ne.jp | udp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| FR | 212.106.102.25:587 | pmx.oceamail.com | tcp |
| US | 8.8.8.8:53 | mail.grupoaraujopneus.com.br | udp |
| US | 8.8.8.8:53 | smtp.free.fr | udp |
| JP | 160.13.60.151:587 | smtp.ax.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | smtp.ar.em-net.ne.jp | udp |
| TR | 185.50.71.90:465 | mail.venusjewelry.com.tr | tcp |
| US | 8.8.8.8:53 | smtp.ia103.com | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| JP | 160.13.60.151:587 | smtp.ar.em-net.ne.jp | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| DK | 212.10.10.66:587 | smtp.bbsyd.dk | tcp |
| TH | 203.151.49.112:587 | mail.onab.go.th | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | portepetit.com | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| JP | 220.156.64.106:587 | mail.384.jp | tcp |
| JP | 220.156.64.114:587 | za.cyberhome.ne.jp | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| JP | 160.13.60.151:587 | smtp.ar.em-net.ne.jp | tcp |
| FR | 212.27.48.4:587 | smtp.free.fr | tcp |
| TH | 147.50.60.181:587 | smtp.ia103.com | tcp |
| JP | 160.13.60.151:587 | smtp.ar.em-net.ne.jp | tcp |
| US | 192.185.92.215:587 | portepetit.com | tcp |
| US | 50.87.145.217:587 | mail.bstsandassociates.com | tcp |
| JP | 61.122.216.220:587 | mail.mctv.ne.jp | tcp |
| AU | 203.134.153.84:587 | smtp.hotkey.net.au | tcp |
| BR | 191.6.216.63:587 | mail.grupoaraujopneus.com.br | tcp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| US | 8.8.8.8:53 | mail.anachron-circle.com | udp |
| US | 8.8.8.8:53 | mail.gcn.ua | udp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| US | 8.8.8.8:53 | mx2.cock.li | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| US | 8.8.8.8:53 | smtp.mr.nir.jp | udp |
| RS | 37.120.193.123:587 | mx2.cock.li | tcp |
| DE | 202.61.232.54:587 | mail.anachron-circle.com | tcp |
| UA | 91.192.136.48:587 | mail.gcn.ua | tcp |
| JP | 220.156.64.109:587 | smtp.mr.nir.jp | tcp |
| US | 184.154.139.152:587 | kadunaelectric.com | tcp |
| US | 8.8.8.8:53 | smtp.kpnmail.nl | udp |
| AU | 203.134.153.82:587 | smtp.iprimus.com.au | tcp |
| US | 24.220.0.241:587 | smtp.midco.net | tcp |
| US | 8.8.8.8:53 | smtp.metrocast.net | udp |
| AU | 203.134.153.82:587 | smtp.iprimus.com.au | tcp |
| AU | 203.134.153.82:587 | smtp.iprimus.com.au | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| NL | 195.121.65.26:587 | smtp.kpnmail.nl | tcp |
| US | 38.111.141.40:587 | smtp.metrocast.net | tcp |
| US | 8.8.8.8:53 | smtp.iprimus.com.au | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | matelcomti.com | udp |
| DE | 139.162.173.115:587 | matelcomti.com | tcp |
| NL | 34.141.221.156:587 | smtp.tim.it | tcp |
| DK | 212.10.10.65:587 | smtp.stofanet.dk | tcp |
| US | 8.8.8.8:53 | securesmtp.t-online.de | udp |
| US | 8.8.8.8:53 | cargoxel.com | udp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| JP | 220.156.64.62:587 | smtp.mediacat.ne.jp | tcp |
| US | 8.8.8.8:53 | smtp.kliksafe.nl | udp |
| US | 8.8.8.8:53 | mail.bp2mi.go.id | udp |
| US | 8.8.8.8:53 | smtp.am.em-net.ne.jp | udp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | mail.healtheversity.com | udp |
| US | 8.8.8.8:53 | smtp.kliksafe.nl | udp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| JP | 160.13.60.151:587 | smtp.am.em-net.ne.jp | tcp |
| US | 8.8.8.8:53 | smtp.bp2mi.go.id | udp |
| JP | 61.122.216.220:587 | mail.mctv.ne.jp | tcp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| NL | 34.141.221.156:587 | smtp.tim.it | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| US | 8.8.8.8:53 | smtp.frontier.com | udp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| US | 8.8.8.8:53 | ctechn.com | udp |
| US | 8.8.8.8:53 | sebastianjayametal.com | udp |
| US | 8.8.8.8:53 | smtp.frontier.com | udp |
| US | 8.8.8.8:53 | jcruizvideos.com | udp |
| JP | 220.156.64.106:587 | mail.384.jp | tcp |
| JP | 160.13.60.151:587 | smtp.am.em-net.ne.jp | tcp |
| DE | 194.25.134.110:587 | securesmtp.t-online.de | tcp |
| JP | 160.13.60.151:587 | smtp.am.em-net.ne.jp | tcp |
| US | 208.91.199.230:587 | cargoxel.com | tcp |
| US | 192.185.36.110:587 | mail.healtheversity.com | tcp |
| GB | 82.20.162.210:587 | ctechn.com | tcp |
| US | 162.144.22.57:587 | jcruizvideos.com | tcp |
| IE | 176.34.232.61:587 | smtp.kliksafe.nl | tcp |
| IE | 34.249.248.164:587 | smtp.kliksafe.nl | tcp |
| US | 199.224.64.207:587 | smtp.frontier.com | tcp |
| US | 199.224.64.207:587 | smtp.frontier.com | tcp |
| ID | 103.170.105.14:587 | smtp.bp2mi.go.id | tcp |
| ID | 103.170.105.14:587 | smtp.bp2mi.go.id | tcp |
| SG | 23.106.52.199:587 | sebastianjayametal.com | tcp |
| US | 8.8.8.8:53 | smtp.visscher-caravelle.info | udp |
| UA | 91.192.136.48:587 | mail.gcn.ua | tcp |
| PL | 46.242.240.243:587 | smtp.visscher-caravelle.info | tcp |
| US | 8.8.8.8:53 | smtp.wizard.com.br | udp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| JP | 220.156.64.106:587 | mail.384.jp | tcp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| US | 8.8.8.8:53 | smtp.nn.em-net.ne.jp | udp |
| US | 8.8.8.8:53 | mail.kliksafe.nl | udp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| DK | 212.10.10.65:587 | smtp.stofanet.dk | tcp |
| DK | 212.10.10.66:587 | smtp.bbsyd.dk | tcp |
| US | 35.175.55.215:587 | smtp.mchsi.com | tcp |
| SK | 213.81.185.108:587 | smtp.zoznam.sk | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| IE | 176.34.232.61:587 | mail.kliksafe.nl | tcp |
| US | 8.8.8.8:53 | smtp.online.nl | udp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| AU | 203.134.71.82:587 | smtp.iprimus.com.au | tcp |
| HR | 212.91.113.96:587 | mail.a1net.hr | tcp |
| IE | 54.220.208.177:587 | smtp.manx.net | tcp |
| US | 34.213.176.2:587 | smtp.mchsi.com | tcp |
| JP | 61.122.216.220:587 | mail.mctv.ne.jp | tcp |
| US | 8.8.8.8:53 | mail.mak.ac.ug | udp |
| JP | 160.13.60.151:587 | smtp.nn.em-net.ne.jp | tcp |
| IE | 176.34.232.61:587 | mail.kliksafe.nl | tcp |
| BR | 179.188.29.69:587 | smtp.wizard.com.br | tcp |
| UG | 196.43.133.28:587 | mail.mak.ac.ug | tcp |
Files
memory/1812-0-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-1-0x00000000774D0000-0x00000000774D2000-memory.dmp
memory/1812-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/1812-4-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-6-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-7-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-8-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-9-0x0000000000400000-0x0000000000823000-memory.dmp
C:\ProgramData\kgedb\igfg.exe
| MD5 | c6a399eb155322a8cbf1390c118553cb |
| SHA1 | c59b0aa34638e8991358520e29625bb7fb4e3b6b |
| SHA256 | a7c8390922ecfe4e4be4c9ffff567e91298a8bbf96dc96318305f45ec59f5221 |
| SHA512 | 6437b6ea8990130f8e69b113f6ec8310e8831a80a2cf7ef1d8d16b323729a89c4a00a8900030e77f5671a7a40971e519731ec22519d98d7af29577dcb5dfe44e |
memory/2904-12-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-13-0x0000000000400000-0x0000000000823000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | df9d2178e626c597a5cf0a51b5ce38b3 |
| SHA1 | b52431520491936688d4c48d4ed820fa2eaee5d1 |
| SHA256 | b17547bf57baed3d1c08cc5a84fccefd394affbdc912a74efc19ded10d66ec08 |
| SHA512 | f5e0a4ef6be0421413cfae340030f6754690b1adabdff6e6a57846aff93a24e39b98cd99e8284d9dc5ae9e8c601744cf7ffc2dd91748e4e1ca4d0c90093eed8f |
memory/2904-14-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-16-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-17-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-18-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-19-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-20-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-21-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-22-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-23-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-24-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-25-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-26-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1812-28-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-29-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-30-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-31-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-32-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-33-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-34-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-35-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-36-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-37-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-38-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2904-39-0x0000000000400000-0x0000000000823000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 14:26
Reported
2025-03-05 14:29
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
144s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\jjle\qbhrwp.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\jjle\qbhrwp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\jjle\qbhrwp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\jjle\qbhrwp.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine | C:\ProgramData\jjle\qbhrwp.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| N/A | N/A | C:\ProgramData\jjle\qbhrwp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\jjle\qbhrwp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coredrive.exe | N/A |
| N/A | N/A | C:\ProgramData\jjle\qbhrwp.exe | N/A |
| N/A | N/A | C:\ProgramData\jjle\qbhrwp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\coredrive.exe
"C:\Users\Admin\AppData\Local\Temp\coredrive.exe"
C:\ProgramData\jjle\qbhrwp.exe
C:\ProgramData\jjle\qbhrwp.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| GB | 2.16.34.50:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4249 | towerbingobongoboom.com | tcp |
| SE | 142.250.74.174:80 | 142.250.74.174 | tcp |
| US | 104.18.35.25:443 | tcp |
Files
memory/456-0-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-1-0x0000000077454000-0x0000000077456000-memory.dmp
memory/456-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/456-3-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-6-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-7-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-8-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-9-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-10-0x0000000000400000-0x0000000000823000-memory.dmp
C:\ProgramData\jjle\qbhrwp.exe
| MD5 | c6a399eb155322a8cbf1390c118553cb |
| SHA1 | c59b0aa34638e8991358520e29625bb7fb4e3b6b |
| SHA256 | a7c8390922ecfe4e4be4c9ffff567e91298a8bbf96dc96318305f45ec59f5221 |
| SHA512 | 6437b6ea8990130f8e69b113f6ec8310e8831a80a2cf7ef1d8d16b323729a89c4a00a8900030e77f5671a7a40971e519731ec22519d98d7af29577dcb5dfe44e |
memory/1156-13-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-14-0x0000000000400000-0x0000000000823000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | ee6b447f68cc41c0debb6307b42698b8 |
| SHA1 | 5831b03201c52c621fa88f9cc8efec8eb84bf61f |
| SHA256 | 81879c88526d192a94ff39277a5e59da06fc1487315340f2eec1ab33f07b201c |
| SHA512 | ef36812bebc0f33b664f70f2e167b21a68f50f21ac684b8ecac86e32ddb876b2f58360098353369ddd568d014de5e3f6c94b7102aa73352b70000dccccbf1cc7 |
memory/456-16-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-17-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-18-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-19-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-20-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-21-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-22-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-23-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-24-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-25-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-26-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-27-0x0000000000400000-0x0000000000823000-memory.dmp
memory/456-28-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-29-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-30-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-31-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-32-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-33-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-34-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-35-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-36-0x0000000000400000-0x0000000000823000-memory.dmp
memory/1156-37-0x0000000000400000-0x0000000000823000-memory.dmp