Analysis Overview
SHA256
a898b42ab81022e5adc0d8d69dc7b0a0eec30eb122d0024f3e28334bd134e3eb
Threat Level: Known bad
The file 0x0007000000014970-113.dat was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Glupteba payload
SmokeLoader
RedLine
Smokeloader family
Glupteba
Downloads MZ/PE file
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 03:09
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 03:09
Reported
2023-12-11 03:12
Platform
win7-20231023-en
Max time kernel
95s
Max time network
118s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EE45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2F7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F910.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2F7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2F7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2F7.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EE45.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe
"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"
C:\Users\Admin\AppData\Local\Temp\EE45.exe
C:\Users\Admin\AppData\Local\Temp\EE45.exe
C:\Users\Admin\AppData\Local\Temp\F2F7.exe
C:\Users\Admin\AppData\Local\Temp\F2F7.exe
C:\Users\Admin\AppData\Local\Temp\F910.exe
C:\Users\Admin\AppData\Local\Temp\F910.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-TIC7J.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TIC7J.tmp\tuc3.tmp" /SL5="$801F0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\4637.exe
C:\Users\Admin\AppData\Local\Temp\4637.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211031134.log C:\Windows\Logs\CBS\CbsPersist_20231211031134.cab
C:\Users\Admin\AppData\Local\Temp\5008.exe
C:\Users\Admin\AppData\Local\Temp\5008.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/2852-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1232-1-0x0000000002780000-0x0000000002796000-memory.dmp
memory/2852-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EE45.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2680-12-0x00000000003D0000-0x000000000040C000-memory.dmp
memory/2680-17-0x0000000074D20000-0x000000007540E000-memory.dmp
memory/2680-18-0x0000000007580000-0x00000000075C0000-memory.dmp
memory/2680-20-0x0000000074D20000-0x000000007540E000-memory.dmp
memory/2680-21-0x0000000007580000-0x00000000075C0000-memory.dmp
memory/2680-23-0x0000000074D20000-0x000000007540E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F2F7.exe
| MD5 | 667ddbcd2147d72d85fe6021270456be |
| SHA1 | cffb27c5e80163d054366814b209845660bdd412 |
| SHA256 | 5956997af14c1707ef6f1dcc5ba1d9593b42d21f2894dacaa4c4adff15fac24c |
| SHA512 | 0d6a081de7eb30013e9c91a264ad83e3218696038b89fb25d1edd284d36ad90679cdd83ce191cb68014eb325c56076810f3110158bbcf5641a74a382804ce90d |
C:\Users\Admin\AppData\Local\Temp\F2F7.exe
| MD5 | ed3235f559c31f0b2f8fe8698c53ba0b |
| SHA1 | a25237f9144ea8d64a24517c24dfe05acde53f68 |
| SHA256 | 6c0b520c69ff3cbbed8c2172842461996affee4db79047d2a662680ed0b90cb3 |
| SHA512 | e305ce2388f29003ec334fb9a853edabab7837c6879b95b79bcdd332eb80dc31bd521e7c20d21dbd258be767f1cc8ddebebf90b5a9355cd3e149e1d8cd13e5d5 |
memory/1724-29-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/2248-35-0x0000000000FC0000-0x0000000000FFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F910.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/2248-36-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/1724-37-0x0000000001180000-0x0000000002636000-memory.dmp
memory/2248-39-0x0000000007330000-0x0000000007370000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 365de00b65f84a0a49222348d94e6c6e |
| SHA1 | f83f943fad3a48790665c1805f8d0d91c6f843af |
| SHA256 | 51f9235838aa532c33cdfb629e9e14a3e67718937a923d3ebd92aa95fbb20884 |
| SHA512 | 477cf931e65be79a061568c4c1b7d60b5998d6db046b642625ba2e2ee85bd7a46e537be317ab32c97ba2b8458bd2b4a0ac441894a6a3379ae543cfbdae0ca848 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 77471d919a5e2151fb49f37c315af514 |
| SHA1 | 0687047ed80aa348bdc1657731f21181995b654c |
| SHA256 | 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1 |
| SHA512 | 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | b6c38a18341a71ef49e2503b9e28d6b0 |
| SHA1 | d25490d3f37dc2864f0d8629de97d51002dcdd2f |
| SHA256 | b42c516ac25153cac5de0f44a7ad81cd17b19aecbba650f42187e0c225992173 |
| SHA512 | eb54ceef102209534bbe869619f95ecc8408ce5e9db42b0981484cd3b8e90fa254d77c09500edd63e4364a95a9aa913f8272d17287eca799847a3410213685d4 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7e41a1c24fc929332c543bbfcfe35e1c |
| SHA1 | 24bac343b1f9274d58000338ad6ca952d279e506 |
| SHA256 | a74afcff220ef3684c8f4422fd6448d17b26559d8dcd334c2c94251fc7308bbe |
| SHA512 | 3eaf8594fdfc130d3e77bcce87352f31e2bb9a12f099c05aaf5e1c4ac84fc9385267c859882ae1bb674878630d8517c26448c765e52a4dbb53e77512f71bd611 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f81be07058935d224ab3843bff94fec0 |
| SHA1 | 1a7360901f8cb5017f7a41ca1a6984227b712b16 |
| SHA256 | 8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c |
| SHA512 | 342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 00e93456aa5bcf9f60f84b0c0760a212 |
| SHA1 | 6096890893116e75bd46fea0b8c3921ceb33f57d |
| SHA256 | ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504 |
| SHA512 | abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 721a2a56d2af016ce1e41d2056ee1e9a |
| SHA1 | eb1414043ebf9d798e4b9e42d20a8e58558bdba5 |
| SHA256 | 3ebb1be7ccf08f80925e4226f6af454f3c98f39a62c0d1c7a002435df9425d0c |
| SHA512 | 342dee4d905714b182e3eb167638167f2f77d785ca839866d2ae5361796cdad823fd57006a7106836910d3180f1d1eabb1c6c7e9bea6ee7312a0708d2124fc85 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1f40433778e799319ae0ece36d28f00f |
| SHA1 | 4ce947e15182e61e379fbfbf52b6625cb0528c69 |
| SHA256 | 1d360b097bfd95b5e6312350928af25631973ff1ddfce7835ac5c8b239b9e58c |
| SHA512 | 30e0d4d61dd4535f7e09a0e0d49691dbb9f99ed54f01b4b898eb786b466cdba34e170677887831daa5e6f98bf2f0d8ca7729a2bf7949ee0ac043a617b419030f |
memory/2032-77-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-TIC7J.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
\Users\Admin\AppData\Local\Temp\is-04Q0F.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1044-93-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-04Q0F.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-04Q0F.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/752-105-0x00000000008C0000-0x00000000009C0000-memory.dmp
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/320-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1724-120-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/752-109-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1940-100-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/320-123-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2796-124-0x00000000027B0000-0x0000000002BA8000-memory.dmp
memory/320-126-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2796-127-0x00000000027B0000-0x0000000002BA8000-memory.dmp
memory/2796-128-0x0000000002BB0000-0x000000000349B000-memory.dmp
memory/2248-129-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/2796-130-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1232-133-0x0000000002BF0000-0x0000000002C06000-memory.dmp
memory/2796-132-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/320-134-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2248-139-0x0000000007330000-0x0000000007370000-memory.dmp
memory/1940-135-0x0000000000400000-0x0000000000965000-memory.dmp
memory/2032-141-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1044-142-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4637.exe
| MD5 | e27d09606853bd7cc337c2d338854824 |
| SHA1 | 8a91c95ff2e6b5983c936c5a0ee11586d1dfeb70 |
| SHA256 | 17acc7dd07b27037a73924112cc45711d2c6659d5101c0e8606957f2f36303d7 |
| SHA512 | 5ed4e4510731c31cf34cf14628b7ac997b4d445bda754084f79e24df2e2d2118ff49ad3de1125f2fd8011b2a7161e3c14a3b658dc15f03a9eb572996c80631b2 |
C:\Users\Admin\AppData\Local\Temp\4637.exe
| MD5 | f46fcdf3b8d78523a59981d45ad725f1 |
| SHA1 | 06507e670624f3a363ef4e1c1271d784e82e0d07 |
| SHA256 | e716d2e4f1d37f5d9be93b3ecc8a7c5e1621344988ddc34729f2ac2505f940d0 |
| SHA512 | 1d765b8c013b26b636430f318f519168e5914734e999efffe4d5d7fa30e35d39adabd91f86192449e2a2b5e93bcf49d34f28995b5f56158725d3223969d14b64 |
memory/1044-147-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2692-148-0x00000000009C0000-0x0000000000F72000-memory.dmp
memory/956-149-0x000000013F540000-0x000000013FAE1000-memory.dmp
memory/2692-151-0x0000000004C10000-0x0000000004C50000-memory.dmp
memory/2692-150-0x0000000074CF0000-0x00000000753DE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 03:09
Reported
2023-12-11 03:12
Platform
win10v2004-20231127-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\898E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C5D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\716F.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3408 wrote to memory of 3420 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\898E.exe |
| PID 3408 wrote to memory of 3420 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\898E.exe |
| PID 3408 wrote to memory of 3420 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\898E.exe |
| PID 3408 wrote to memory of 1104 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C5D.exe |
| PID 3408 wrote to memory of 1104 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C5D.exe |
| PID 3408 wrote to memory of 1104 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C5D.exe |
| PID 3408 wrote to memory of 4376 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\716F.exe |
| PID 3408 wrote to memory of 4376 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\716F.exe |
| PID 3408 wrote to memory of 4376 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\716F.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe
"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"
C:\Users\Admin\AppData\Local\Temp\898E.exe
C:\Users\Admin\AppData\Local\Temp\898E.exe
C:\Users\Admin\AppData\Local\Temp\6C5D.exe
C:\Users\Admin\AppData\Local\Temp\6C5D.exe
C:\Users\Admin\AppData\Local\Temp\716F.exe
C:\Users\Admin\AppData\Local\Temp\716F.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-A6U2Q.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A6U2Q.tmp\tuc3.tmp" /SL5="$7022E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Users\Admin\AppData\Local\Temp\C906.exe
C:\Users\Admin\AppData\Local\Temp\C906.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\E45F.exe
C:\Users\Admin\AppData\Local\Temp\E45F.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| MD | 176.123.7.190:32927 | tcp | |
| US | 8.8.8.8:53 | 190.7.123.176.in-addr.arpa | udp |
Files
memory/4476-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3408-1-0x0000000002730000-0x0000000002746000-memory.dmp
memory/4476-3-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\898E.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
C:\Users\Admin\AppData\Local\Temp\6C5D.exe
| MD5 | d0c59443e41e1160209139841fa39c9f |
| SHA1 | 76be0077ce9dc5ef6756b8c202a6d5d94c759535 |
| SHA256 | de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c |
| SHA512 | d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28 |
C:\Users\Admin\AppData\Local\Temp\716F.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/1104-20-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/4376-21-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/4376-22-0x0000000000120000-0x000000000015C000-memory.dmp
memory/1104-23-0x0000000000AC0000-0x0000000001F76000-memory.dmp
memory/4376-24-0x0000000007670000-0x0000000007C14000-memory.dmp
memory/4376-25-0x00000000071A0000-0x0000000007232000-memory.dmp
memory/4376-27-0x0000000007370000-0x0000000007380000-memory.dmp
memory/4376-28-0x0000000007180000-0x000000000718A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 77471d919a5e2151fb49f37c315af514 |
| SHA1 | 0687047ed80aa348bdc1657731f21181995b654c |
| SHA256 | 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1 |
| SHA512 | 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
memory/4376-47-0x0000000008240000-0x0000000008858000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d87229b116edc4003d8244f9039b15f8 |
| SHA1 | 73249e6c378fe1f75799defff01d97deef857ac4 |
| SHA256 | 9696335f8cbf1000a0b9498458fb630e64dae4e209fb8efeb0b9cde4b13be227 |
| SHA512 | 8d37482bac52cfbcadc76d7a616306994b0d1c3838c85312797d9c1eb371cdc381e682b56f6e6c4ec2baa9a9eddc17deff7ec7e0497a39488a060fc3267dd1b1 |
memory/4376-55-0x00000000074C0000-0x00000000075CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 6200a658245d0bf4fab336e6018a8fef |
| SHA1 | c4bd77e3561eeda70eb68432fa0b146e8777a648 |
| SHA256 | 7ab8cb78dd3a44504e05aacb1daec6771793c4072c4a1e2bdb959799f8e96b66 |
| SHA512 | 496dcb042306af0c59134a4f4b2def798926869f537c6c650d67efc3e803804b88a0d07005fbf8714e7d8fb7dc145419c9da42c6f02d9ac57d41a7353325b5d9 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 648cf2409af84186c9d9ec1bc00c3f4c |
| SHA1 | a24e94213ba233a05ef3a386ab20df7461483cb6 |
| SHA256 | 4a6166045b17c703f9d9a5547aa81d0e2e2a7d1019268bef5b13b609896c53dd |
| SHA512 | ac16f74ac3eb7566fa966a480ee021af8addf641f938bcffc37f565641f7c6ad0d937cb92b76d8736aba725fc87ebc4426f889bdf07ee82c356be9d144cd9a74 |
memory/4376-57-0x00000000073F0000-0x0000000007402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 8b549b3586fdcfec2f80d8e3ef602dc1 |
| SHA1 | d004ccb9547888a939cf664e7eca60642590daa2 |
| SHA256 | 10e7790607d5c8c14e9ed5eb0747d5901a7f88f322a69d5b979985d93caa07d6 |
| SHA512 | cf878cd75bb7007a8a3b572c13187c6e892ddcc0ae75868b6b0e22d9fa20daeca6e190f7ee3d5e5203cce2f088da33808c0c3e28cd1599add5afdc0aa8abf696 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 39508adcff7eceed3a77a6f6f7e715a8 |
| SHA1 | dcd84016a43ab9bd5d476889043f4b56827e8539 |
| SHA256 | 75b704ba240410adec369ffccc29665521133682d8fb65b021c9888e5d894759 |
| SHA512 | 5d29ea730cc4dd593f5b06cb31cd94a1192e53380a90f29d26e917af7088d9df791c7525a92b1c626876ff523e78f8806b36f8cd6479a46c79ac529713ec2178 |
memory/4376-63-0x0000000007450000-0x000000000748C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | b085b07c9fb1aa44b3f854512a6f1b2f |
| SHA1 | 0a9aa29c512dc0ff4aba69480d0544f5d829831e |
| SHA256 | de15932684958ba35f798f366ad2e56fa14a3b6259944e5906c2fb3e4a3a4c40 |
| SHA512 | 1fb1f9972e0a5ab5b4c36f51d3f028d023939f1f6a8e3c84ac7bf72162ac0ba3fa830380a4b6172bcfaf75ed36b0841a160f3c9f326c2bcbf9292816f92e698a |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 8e5942a7903c1da6ed46c2a50f9742ed |
| SHA1 | 76aaf7b3616659a6f24b4a8f5b243496e4a38bf6 |
| SHA256 | bda380296a716271d12fa54ef0c33ae356d51669c0c9b7b944f870e6e313e5f6 |
| SHA512 | 0cd9fe2ef8ffac44194bd5ccf3a66720d62eeb2db4600a5fcba792fbaf7e988eada5cd6e7e0c8f258025af754d85db753d7b75116a4bb41804ffffed6261dfbe |
memory/3324-74-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4376-75-0x00000000075D0000-0x000000000761C000-memory.dmp
memory/1824-79-0x0000000000B40000-0x0000000000B41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 9615886cd5d4b73e21b7b37853a3abe1 |
| SHA1 | 27a295a2be329fda09ef420de6fbc5880f63f661 |
| SHA256 | d7e749046df14ec00a793aa7b8913c44bfabbb9d0668b765ee60d5f3ceb4d37a |
| SHA512 | c7b9fead0499e0b946c62887635742d8b96c8e2a2c671f8aeab20518202329a184aa5daf18adc4f3ef8669802740fd5b66e9a2eb7e9b9e871918032e6473f4bf |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 798886a57ce7fb1a76a577beeb7d05da |
| SHA1 | 78f2d724346c7baefbab1d0030ec16a4393ca7d9 |
| SHA256 | 8706348d9e340df292ec7cd842588b1a1d0f68667bdfcd29c7ec8e57920a8e61 |
| SHA512 | 261002f42db2421c20b5212e1d2e96658ff7ca02bccf16bfb1fc2e53eae9e533c873d1f36d3d29c52a3f95ebd67376c4691084f08a0c4449512a4ee333881665 |
C:\Users\Admin\AppData\Local\Temp\is-A6U2Q.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
memory/1104-91-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/4524-107-0x0000000000610000-0x0000000000611000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8BLAL.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-8BLAL.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 16e697fbb09b200f0ab420179ccaefd4 |
| SHA1 | 5908f7f583d0b60bf5e51dec26abb3ffd7cc31a6 |
| SHA256 | 3f3a7313feed17bb3d0e821bdaf1ebede9c106d93d322b4ab28184259f709f9c |
| SHA512 | ebae80718fd33b14184c92551fa299777aeec97af0d79574f850441fdb29545e942bf095f3272a634f83c754bb1d47e1a04a07f52434596e73cb455a6ae9f9d2 |
memory/4920-235-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4920-236-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4920-239-0x0000000000400000-0x0000000000785000-memory.dmp
C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe
| MD5 | 031f92aa5d2af7d683af4ca4d6da56fb |
| SHA1 | c050f9b1f22b7a461a8cc8ba25616a6611a7a28f |
| SHA256 | bb16d833e4cf44e4103b4492df9b9b0c3acf0099eed9fc1271c62e1a6f4345cd |
| SHA512 | 487dc0256aae5c584cccba4ff9ef4ea4e4cd02374daf45454fb06d0d72c83f5c2b3a3df9d9d4a6b6121e053ccdee5c357f66a8b4ce616b3457f01f7a8d03c755 |
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | da8aa7fca2c1f2aadec5c23992945964 |
| SHA1 | 8b5ec126443684fd504b3aef2a3dfb25a3b3b997 |
| SHA256 | 27d64e47f85f561390c129f813280adb43084a48183f406a4da43c63669618b4 |
| SHA512 | 7309791627810478e737bc2bbc7b07a5f2351b9df8bbf56e0c4923fe1822d438969202779dfa0b5b5dc54417d86bf806739ee29ac1e0cffee4ba8d8b3dcd8ad9 |
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 53f84548a76c05e2eb08dec0ffc3914e |
| SHA1 | 06aaf965c1b1743aeba9fab4e31086882c9b8536 |
| SHA256 | debc49918d3e8c0f01a2ea5d005e7ed2a9b89d6652876c65d006e08bdb81c3aa |
| SHA512 | 97798caf6269f173361b46cb94f407b3b0cd2e3531cf5ce08c79d8ea563bb3bac4d7eda1ebf270c6847fc04a4d8bf8ba3451a154d5ef258a0572438e0d897199 |
memory/4472-243-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4376-245-0x0000000007E10000-0x0000000007E76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C906.exe
| MD5 | d9272f48339d2fff46bdf9ca231866fb |
| SHA1 | bf2ae059f6e8403100bed30d4f524670e01f3bf7 |
| SHA256 | d9dab8e325c4e4a5b45d00a631d0cdbbbee06d805eb9a43a69b403771ec890f7 |
| SHA512 | 3738adfc0f6f430031b24c17bde97afa3c50a3502a3924c69122d8384b68c7321b71b590dd413aa8c597d1893a8902802ab43efbc0cfdaffb7222ec5e4f0b932 |
C:\Users\Admin\AppData\Local\Temp\C906.exe
| MD5 | 3128ddef41e91856db29b2fd12a8fcc6 |
| SHA1 | 686107159084b34be7cc1aabc6ef2cc3113c3a1e |
| SHA256 | a982aa8c21830caea888c61b1151496d3f7bedfd70838fbb2eda21528186571f |
| SHA512 | bbe60496c3b9b8c132f0cca4611d09954b76d6914820e7c9469c1d65be5013b472d1fb0a85763c62de47b24986315f0844f33e1a3aa95a4b2474d7ffbf5a5dc2 |
memory/3324-252-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2072-254-0x00007FF793510000-0x00007FF793AB1000-memory.dmp
memory/2688-253-0x0000000000410000-0x00000000009C2000-memory.dmp
memory/4524-255-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1824-251-0x0000000000400000-0x0000000000965000-memory.dmp
memory/2688-256-0x0000000005510000-0x00000000055AC000-memory.dmp
memory/2688-257-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/4376-258-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/4640-259-0x0000000002980000-0x0000000002D7D000-memory.dmp
memory/2688-260-0x0000000005500000-0x0000000005510000-memory.dmp
memory/4640-261-0x0000000002D80000-0x000000000366B000-memory.dmp
memory/4376-262-0x0000000007370000-0x0000000007380000-memory.dmp
memory/4640-263-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4472-264-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4640-265-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1364-268-0x0000000000840000-0x0000000000940000-memory.dmp
memory/1364-270-0x0000000000830000-0x0000000000839000-memory.dmp