Malware Analysis Report

2025-03-15 05:12

Sample ID 231211-dnr9sscgb6
Target 0x0007000000014970-113.dat
SHA256 a898b42ab81022e5adc0d8d69dc7b0a0eec30eb122d0024f3e28334bd134e3eb
Tags
smokeloader glupteba redline @oleh_ps livetraffic up3 backdoor discovery dropper infostealer loader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a898b42ab81022e5adc0d8d69dc7b0a0eec30eb122d0024f3e28334bd134e3eb

Threat Level: Known bad

The file 0x0007000000014970-113.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader glupteba redline @oleh_ps livetraffic up3 backdoor discovery dropper infostealer loader spyware stealer trojan

RedLine payload

Glupteba payload

SmokeLoader

RedLine

Smokeloader family

Glupteba

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 03:09

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 03:09

Reported

2023-12-11 03:12

Platform

win7-20231023-en

Max time kernel

95s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EE45.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE45.exe
PID 1232 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE45.exe
PID 1232 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE45.exe
PID 1232 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE45.exe
PID 1232 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe
PID 1232 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe
PID 1232 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe
PID 1232 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe
PID 1232 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\F910.exe
PID 1232 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\F910.exe
PID 1232 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\F910.exe
PID 1232 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\F910.exe
PID 1724 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1724 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1724 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1724 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1724 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1724 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1724 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1724 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 1724 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 1724 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 1724 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\F2F7.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe

"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"

C:\Users\Admin\AppData\Local\Temp\EE45.exe

C:\Users\Admin\AppData\Local\Temp\EE45.exe

C:\Users\Admin\AppData\Local\Temp\F2F7.exe

C:\Users\Admin\AppData\Local\Temp\F2F7.exe

C:\Users\Admin\AppData\Local\Temp\F910.exe

C:\Users\Admin\AppData\Local\Temp\F910.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-TIC7J.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TIC7J.tmp\tuc3.tmp" /SL5="$801F0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\4637.exe

C:\Users\Admin\AppData\Local\Temp\4637.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211031134.log C:\Windows\Logs\CBS\CbsPersist_20231211031134.cab

C:\Users\Admin\AppData\Local\Temp\5008.exe

C:\Users\Admin\AppData\Local\Temp\5008.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 81.19.131.34:80 81.19.131.34 tcp
MD 176.123.7.190:32927 tcp

Files

memory/2852-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1232-1-0x0000000002780000-0x0000000002796000-memory.dmp

memory/2852-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE45.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2680-12-0x00000000003D0000-0x000000000040C000-memory.dmp

memory/2680-17-0x0000000074D20000-0x000000007540E000-memory.dmp

memory/2680-18-0x0000000007580000-0x00000000075C0000-memory.dmp

memory/2680-20-0x0000000074D20000-0x000000007540E000-memory.dmp

memory/2680-21-0x0000000007580000-0x00000000075C0000-memory.dmp

memory/2680-23-0x0000000074D20000-0x000000007540E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2F7.exe

MD5 667ddbcd2147d72d85fe6021270456be
SHA1 cffb27c5e80163d054366814b209845660bdd412
SHA256 5956997af14c1707ef6f1dcc5ba1d9593b42d21f2894dacaa4c4adff15fac24c
SHA512 0d6a081de7eb30013e9c91a264ad83e3218696038b89fb25d1edd284d36ad90679cdd83ce191cb68014eb325c56076810f3110158bbcf5641a74a382804ce90d

C:\Users\Admin\AppData\Local\Temp\F2F7.exe

MD5 ed3235f559c31f0b2f8fe8698c53ba0b
SHA1 a25237f9144ea8d64a24517c24dfe05acde53f68
SHA256 6c0b520c69ff3cbbed8c2172842461996affee4db79047d2a662680ed0b90cb3
SHA512 e305ce2388f29003ec334fb9a853edabab7837c6879b95b79bcdd332eb80dc31bd521e7c20d21dbd258be767f1cc8ddebebf90b5a9355cd3e149e1d8cd13e5d5

memory/1724-29-0x0000000074CF0000-0x00000000753DE000-memory.dmp

memory/2248-35-0x0000000000FC0000-0x0000000000FFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F910.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2248-36-0x0000000074CF0000-0x00000000753DE000-memory.dmp

memory/1724-37-0x0000000001180000-0x0000000002636000-memory.dmp

memory/2248-39-0x0000000007330000-0x0000000007370000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 365de00b65f84a0a49222348d94e6c6e
SHA1 f83f943fad3a48790665c1805f8d0d91c6f843af
SHA256 51f9235838aa532c33cdfb629e9e14a3e67718937a923d3ebd92aa95fbb20884
SHA512 477cf931e65be79a061568c4c1b7d60b5998d6db046b642625ba2e2ee85bd7a46e537be317ab32c97ba2b8458bd2b4a0ac441894a6a3379ae543cfbdae0ca848

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b6c38a18341a71ef49e2503b9e28d6b0
SHA1 d25490d3f37dc2864f0d8629de97d51002dcdd2f
SHA256 b42c516ac25153cac5de0f44a7ad81cd17b19aecbba650f42187e0c225992173
SHA512 eb54ceef102209534bbe869619f95ecc8408ce5e9db42b0981484cd3b8e90fa254d77c09500edd63e4364a95a9aa913f8272d17287eca799847a3410213685d4

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7e41a1c24fc929332c543bbfcfe35e1c
SHA1 24bac343b1f9274d58000338ad6ca952d279e506
SHA256 a74afcff220ef3684c8f4422fd6448d17b26559d8dcd334c2c94251fc7308bbe
SHA512 3eaf8594fdfc130d3e77bcce87352f31e2bb9a12f099c05aaf5e1c4ac84fc9385267c859882ae1bb674878630d8517c26448c765e52a4dbb53e77512f71bd611

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f81be07058935d224ab3843bff94fec0
SHA1 1a7360901f8cb5017f7a41ca1a6984227b712b16
SHA256 8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c
SHA512 342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 00e93456aa5bcf9f60f84b0c0760a212
SHA1 6096890893116e75bd46fea0b8c3921ceb33f57d
SHA256 ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512 abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 721a2a56d2af016ce1e41d2056ee1e9a
SHA1 eb1414043ebf9d798e4b9e42d20a8e58558bdba5
SHA256 3ebb1be7ccf08f80925e4226f6af454f3c98f39a62c0d1c7a002435df9425d0c
SHA512 342dee4d905714b182e3eb167638167f2f77d785ca839866d2ae5361796cdad823fd57006a7106836910d3180f1d1eabb1c6c7e9bea6ee7312a0708d2124fc85

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 1f40433778e799319ae0ece36d28f00f
SHA1 4ce947e15182e61e379fbfbf52b6625cb0528c69
SHA256 1d360b097bfd95b5e6312350928af25631973ff1ddfce7835ac5c8b239b9e58c
SHA512 30e0d4d61dd4535f7e09a0e0d49691dbb9f99ed54f01b4b898eb786b466cdba34e170677887831daa5e6f98bf2f0d8ca7729a2bf7949ee0ac043a617b419030f

memory/2032-77-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-TIC7J.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

\Users\Admin\AppData\Local\Temp\is-04Q0F.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1044-93-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-04Q0F.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-04Q0F.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/752-105-0x00000000008C0000-0x00000000009C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/320-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1724-120-0x0000000074CF0000-0x00000000753DE000-memory.dmp

memory/752-109-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1940-100-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/320-123-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2796-124-0x00000000027B0000-0x0000000002BA8000-memory.dmp

memory/320-126-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2796-127-0x00000000027B0000-0x0000000002BA8000-memory.dmp

memory/2796-128-0x0000000002BB0000-0x000000000349B000-memory.dmp

memory/2248-129-0x0000000074CF0000-0x00000000753DE000-memory.dmp

memory/2796-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1232-133-0x0000000002BF0000-0x0000000002C06000-memory.dmp

memory/2796-132-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/320-134-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2248-139-0x0000000007330000-0x0000000007370000-memory.dmp

memory/1940-135-0x0000000000400000-0x0000000000965000-memory.dmp

memory/2032-141-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1044-142-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4637.exe

MD5 e27d09606853bd7cc337c2d338854824
SHA1 8a91c95ff2e6b5983c936c5a0ee11586d1dfeb70
SHA256 17acc7dd07b27037a73924112cc45711d2c6659d5101c0e8606957f2f36303d7
SHA512 5ed4e4510731c31cf34cf14628b7ac997b4d445bda754084f79e24df2e2d2118ff49ad3de1125f2fd8011b2a7161e3c14a3b658dc15f03a9eb572996c80631b2

C:\Users\Admin\AppData\Local\Temp\4637.exe

MD5 f46fcdf3b8d78523a59981d45ad725f1
SHA1 06507e670624f3a363ef4e1c1271d784e82e0d07
SHA256 e716d2e4f1d37f5d9be93b3ecc8a7c5e1621344988ddc34729f2ac2505f940d0
SHA512 1d765b8c013b26b636430f318f519168e5914734e999efffe4d5d7fa30e35d39adabd91f86192449e2a2b5e93bcf49d34f28995b5f56158725d3223969d14b64

memory/1044-147-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2692-148-0x00000000009C0000-0x0000000000F72000-memory.dmp

memory/956-149-0x000000013F540000-0x000000013FAE1000-memory.dmp

memory/2692-151-0x0000000004C10000-0x0000000004C50000-memory.dmp

memory/2692-150-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 03:09

Reported

2023-12-11 03:12

Platform

win10v2004-20231127-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\898E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6C5D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\716F.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 3420 N/A N/A C:\Users\Admin\AppData\Local\Temp\898E.exe
PID 3408 wrote to memory of 3420 N/A N/A C:\Users\Admin\AppData\Local\Temp\898E.exe
PID 3408 wrote to memory of 3420 N/A N/A C:\Users\Admin\AppData\Local\Temp\898E.exe
PID 3408 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C5D.exe
PID 3408 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C5D.exe
PID 3408 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C5D.exe
PID 3408 wrote to memory of 4376 N/A N/A C:\Users\Admin\AppData\Local\Temp\716F.exe
PID 3408 wrote to memory of 4376 N/A N/A C:\Users\Admin\AppData\Local\Temp\716F.exe
PID 3408 wrote to memory of 4376 N/A N/A C:\Users\Admin\AppData\Local\Temp\716F.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe

"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"

C:\Users\Admin\AppData\Local\Temp\898E.exe

C:\Users\Admin\AppData\Local\Temp\898E.exe

C:\Users\Admin\AppData\Local\Temp\6C5D.exe

C:\Users\Admin\AppData\Local\Temp\6C5D.exe

C:\Users\Admin\AppData\Local\Temp\716F.exe

C:\Users\Admin\AppData\Local\Temp\716F.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-A6U2Q.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A6U2Q.tmp\tuc3.tmp" /SL5="$7022E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\C906.exe

C:\Users\Admin\AppData\Local\Temp\C906.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\E45F.exe

C:\Users\Admin\AppData\Local\Temp\E45F.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 190.7.123.176.in-addr.arpa udp

Files

memory/4476-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3408-1-0x0000000002730000-0x0000000002746000-memory.dmp

memory/4476-3-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\898E.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Local\Temp\6C5D.exe

MD5 d0c59443e41e1160209139841fa39c9f
SHA1 76be0077ce9dc5ef6756b8c202a6d5d94c759535
SHA256 de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c
SHA512 d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

C:\Users\Admin\AppData\Local\Temp\716F.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/1104-20-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/4376-21-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/4376-22-0x0000000000120000-0x000000000015C000-memory.dmp

memory/1104-23-0x0000000000AC0000-0x0000000001F76000-memory.dmp

memory/4376-24-0x0000000007670000-0x0000000007C14000-memory.dmp

memory/4376-25-0x00000000071A0000-0x0000000007232000-memory.dmp

memory/4376-27-0x0000000007370000-0x0000000007380000-memory.dmp

memory/4376-28-0x0000000007180000-0x000000000718A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

memory/4376-47-0x0000000008240000-0x0000000008858000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d87229b116edc4003d8244f9039b15f8
SHA1 73249e6c378fe1f75799defff01d97deef857ac4
SHA256 9696335f8cbf1000a0b9498458fb630e64dae4e209fb8efeb0b9cde4b13be227
SHA512 8d37482bac52cfbcadc76d7a616306994b0d1c3838c85312797d9c1eb371cdc381e682b56f6e6c4ec2baa9a9eddc17deff7ec7e0497a39488a060fc3267dd1b1

memory/4376-55-0x00000000074C0000-0x00000000075CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6200a658245d0bf4fab336e6018a8fef
SHA1 c4bd77e3561eeda70eb68432fa0b146e8777a648
SHA256 7ab8cb78dd3a44504e05aacb1daec6771793c4072c4a1e2bdb959799f8e96b66
SHA512 496dcb042306af0c59134a4f4b2def798926869f537c6c650d67efc3e803804b88a0d07005fbf8714e7d8fb7dc145419c9da42c6f02d9ac57d41a7353325b5d9

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 648cf2409af84186c9d9ec1bc00c3f4c
SHA1 a24e94213ba233a05ef3a386ab20df7461483cb6
SHA256 4a6166045b17c703f9d9a5547aa81d0e2e2a7d1019268bef5b13b609896c53dd
SHA512 ac16f74ac3eb7566fa966a480ee021af8addf641f938bcffc37f565641f7c6ad0d937cb92b76d8736aba725fc87ebc4426f889bdf07ee82c356be9d144cd9a74

memory/4376-57-0x00000000073F0000-0x0000000007402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 8b549b3586fdcfec2f80d8e3ef602dc1
SHA1 d004ccb9547888a939cf664e7eca60642590daa2
SHA256 10e7790607d5c8c14e9ed5eb0747d5901a7f88f322a69d5b979985d93caa07d6
SHA512 cf878cd75bb7007a8a3b572c13187c6e892ddcc0ae75868b6b0e22d9fa20daeca6e190f7ee3d5e5203cce2f088da33808c0c3e28cd1599add5afdc0aa8abf696

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 39508adcff7eceed3a77a6f6f7e715a8
SHA1 dcd84016a43ab9bd5d476889043f4b56827e8539
SHA256 75b704ba240410adec369ffccc29665521133682d8fb65b021c9888e5d894759
SHA512 5d29ea730cc4dd593f5b06cb31cd94a1192e53380a90f29d26e917af7088d9df791c7525a92b1c626876ff523e78f8806b36f8cd6479a46c79ac529713ec2178

memory/4376-63-0x0000000007450000-0x000000000748C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b085b07c9fb1aa44b3f854512a6f1b2f
SHA1 0a9aa29c512dc0ff4aba69480d0544f5d829831e
SHA256 de15932684958ba35f798f366ad2e56fa14a3b6259944e5906c2fb3e4a3a4c40
SHA512 1fb1f9972e0a5ab5b4c36f51d3f028d023939f1f6a8e3c84ac7bf72162ac0ba3fa830380a4b6172bcfaf75ed36b0841a160f3c9f326c2bcbf9292816f92e698a

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 8e5942a7903c1da6ed46c2a50f9742ed
SHA1 76aaf7b3616659a6f24b4a8f5b243496e4a38bf6
SHA256 bda380296a716271d12fa54ef0c33ae356d51669c0c9b7b944f870e6e313e5f6
SHA512 0cd9fe2ef8ffac44194bd5ccf3a66720d62eeb2db4600a5fcba792fbaf7e988eada5cd6e7e0c8f258025af754d85db753d7b75116a4bb41804ffffed6261dfbe

memory/3324-74-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4376-75-0x00000000075D0000-0x000000000761C000-memory.dmp

memory/1824-79-0x0000000000B40000-0x0000000000B41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 9615886cd5d4b73e21b7b37853a3abe1
SHA1 27a295a2be329fda09ef420de6fbc5880f63f661
SHA256 d7e749046df14ec00a793aa7b8913c44bfabbb9d0668b765ee60d5f3ceb4d37a
SHA512 c7b9fead0499e0b946c62887635742d8b96c8e2a2c671f8aeab20518202329a184aa5daf18adc4f3ef8669802740fd5b66e9a2eb7e9b9e871918032e6473f4bf

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 798886a57ce7fb1a76a577beeb7d05da
SHA1 78f2d724346c7baefbab1d0030ec16a4393ca7d9
SHA256 8706348d9e340df292ec7cd842588b1a1d0f68667bdfcd29c7ec8e57920a8e61
SHA512 261002f42db2421c20b5212e1d2e96658ff7ca02bccf16bfb1fc2e53eae9e533c873d1f36d3d29c52a3f95ebd67376c4691084f08a0c4449512a4ee333881665

C:\Users\Admin\AppData\Local\Temp\is-A6U2Q.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

memory/1104-91-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/4524-107-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8BLAL.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-8BLAL.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 16e697fbb09b200f0ab420179ccaefd4
SHA1 5908f7f583d0b60bf5e51dec26abb3ffd7cc31a6
SHA256 3f3a7313feed17bb3d0e821bdaf1ebede9c106d93d322b4ab28184259f709f9c
SHA512 ebae80718fd33b14184c92551fa299777aeec97af0d79574f850441fdb29545e942bf095f3272a634f83c754bb1d47e1a04a07f52434596e73cb455a6ae9f9d2

memory/4920-235-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4920-236-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4920-239-0x0000000000400000-0x0000000000785000-memory.dmp

C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe

MD5 031f92aa5d2af7d683af4ca4d6da56fb
SHA1 c050f9b1f22b7a461a8cc8ba25616a6611a7a28f
SHA256 bb16d833e4cf44e4103b4492df9b9b0c3acf0099eed9fc1271c62e1a6f4345cd
SHA512 487dc0256aae5c584cccba4ff9ef4ea4e4cd02374daf45454fb06d0d72c83f5c2b3a3df9d9d4a6b6121e053ccdee5c357f66a8b4ce616b3457f01f7a8d03c755

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 da8aa7fca2c1f2aadec5c23992945964
SHA1 8b5ec126443684fd504b3aef2a3dfb25a3b3b997
SHA256 27d64e47f85f561390c129f813280adb43084a48183f406a4da43c63669618b4
SHA512 7309791627810478e737bc2bbc7b07a5f2351b9df8bbf56e0c4923fe1822d438969202779dfa0b5b5dc54417d86bf806739ee29ac1e0cffee4ba8d8b3dcd8ad9

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 53f84548a76c05e2eb08dec0ffc3914e
SHA1 06aaf965c1b1743aeba9fab4e31086882c9b8536
SHA256 debc49918d3e8c0f01a2ea5d005e7ed2a9b89d6652876c65d006e08bdb81c3aa
SHA512 97798caf6269f173361b46cb94f407b3b0cd2e3531cf5ce08c79d8ea563bb3bac4d7eda1ebf270c6847fc04a4d8bf8ba3451a154d5ef258a0572438e0d897199

memory/4472-243-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4376-245-0x0000000007E10000-0x0000000007E76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C906.exe

MD5 d9272f48339d2fff46bdf9ca231866fb
SHA1 bf2ae059f6e8403100bed30d4f524670e01f3bf7
SHA256 d9dab8e325c4e4a5b45d00a631d0cdbbbee06d805eb9a43a69b403771ec890f7
SHA512 3738adfc0f6f430031b24c17bde97afa3c50a3502a3924c69122d8384b68c7321b71b590dd413aa8c597d1893a8902802ab43efbc0cfdaffb7222ec5e4f0b932

C:\Users\Admin\AppData\Local\Temp\C906.exe

MD5 3128ddef41e91856db29b2fd12a8fcc6
SHA1 686107159084b34be7cc1aabc6ef2cc3113c3a1e
SHA256 a982aa8c21830caea888c61b1151496d3f7bedfd70838fbb2eda21528186571f
SHA512 bbe60496c3b9b8c132f0cca4611d09954b76d6914820e7c9469c1d65be5013b472d1fb0a85763c62de47b24986315f0844f33e1a3aa95a4b2474d7ffbf5a5dc2

memory/3324-252-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2072-254-0x00007FF793510000-0x00007FF793AB1000-memory.dmp

memory/2688-253-0x0000000000410000-0x00000000009C2000-memory.dmp

memory/4524-255-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1824-251-0x0000000000400000-0x0000000000965000-memory.dmp

memory/2688-256-0x0000000005510000-0x00000000055AC000-memory.dmp

memory/2688-257-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/4376-258-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/4640-259-0x0000000002980000-0x0000000002D7D000-memory.dmp

memory/2688-260-0x0000000005500000-0x0000000005510000-memory.dmp

memory/4640-261-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/4376-262-0x0000000007370000-0x0000000007380000-memory.dmp

memory/4640-263-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4472-264-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4640-265-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1364-268-0x0000000000840000-0x0000000000940000-memory.dmp

memory/1364-270-0x0000000000830000-0x0000000000839000-memory.dmp