Analysis Overview
SHA256
a6e75460353f930fe37074adaa5e317940b28cdf40a87493101c3149cbbe2bc2
Threat Level: Known bad
The file 0x0006000000017081-699.dat was found to be: Known bad.
Malicious Activity Summary
Glupteba
Glupteba payload
RedLine
ZGRat
RedLine payload
Smokeloader family
SmokeLoader
Detect ZGRat V1
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-12 11:15
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-12 11:15
Reported
2023-12-12 11:18
Platform
win7-20231023-en
Max time kernel
50s
Max time network
127s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F6BE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5014.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1328 wrote to memory of 3068 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F6BE.exe |
| PID 1328 wrote to memory of 3068 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F6BE.exe |
| PID 1328 wrote to memory of 3068 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F6BE.exe |
| PID 1328 wrote to memory of 3068 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F6BE.exe |
| PID 1328 wrote to memory of 2688 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5014.exe |
| PID 1328 wrote to memory of 2688 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5014.exe |
| PID 1328 wrote to memory of 2688 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5014.exe |
| PID 1328 wrote to memory of 2688 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5014.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe"
C:\Users\Admin\AppData\Local\Temp\F6BE.exe
C:\Users\Admin\AppData\Local\Temp\F6BE.exe
C:\Users\Admin\AppData\Local\Temp\5014.exe
C:\Users\Admin\AppData\Local\Temp\5014.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-LR9IC.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LR9IC.tmp\tuc3.tmp" /SL5="$C011C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\8A19.exe
C:\Users\Admin\AppData\Local\Temp\8A19.exe
C:\Users\Admin\AppData\Local\Temp\9EC2.exe
C:\Users\Admin\AppData\Local\Temp\9EC2.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/2944-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1328-1-0x00000000029F0000-0x0000000002A06000-memory.dmp
memory/2944-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F6BE.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
memory/3068-12-0x00000000000F0000-0x000000000012C000-memory.dmp
memory/3068-17-0x00000000741C0000-0x00000000748AE000-memory.dmp
memory/3068-18-0x00000000073F0000-0x0000000007430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5014.exe
| MD5 | fa8680202313b89083326aa4dda9680b |
| SHA1 | 8249b5081ecf4a1bd7f2f94bbfcea3a824f2f9e2 |
| SHA256 | 190b24488443155ce89119e7a2df2cf18c3714732dd1e3999af4d1091016fb58 |
| SHA512 | 960115b97f7d3b09ddcddaefd9a0e365bab721c1e15f34450dffd2c47c577b29949be699b4090274d8c07411757f156434a74f1558a796075e9ee383c70a77ba |
C:\Users\Admin\AppData\Local\Temp\5014.exe
| MD5 | 9082c31e554840c3795c2afc093a873c |
| SHA1 | a654430ddc1a55d0d357647f0690e502c7febb1c |
| SHA256 | a380fd5028c4adb5a9149b6f71c35632060c96e3bbb9b3a05946e0067e5b037b |
| SHA512 | d5d0ac48b922970a18f80708404ab8c87a4b9b94dabc0b45aca19c4b0eef5e116d031856640d0de981833c2c018a31074f2a8755b58d01b1c23f867b1e9ae796 |
memory/2688-26-0x00000000741C0000-0x00000000748AE000-memory.dmp
memory/2688-27-0x00000000008F0000-0x0000000001DA6000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 426b54a9126e36ea0a0155b803c622aa |
| SHA1 | ae160f291062b2a7515969b05ba73eb0261bf46a |
| SHA256 | fa0e51c9a8d761b195a6fbb72758376fd6438e32f3408eb8ad921a07bb99234d |
| SHA512 | 2836065a96c7699871a76b3a49f8f94324b9aa543b81ee8f0032f8923c48b1cfeb9cea1c14b2794c0074c4b0f8f1227e5e8477f30d3868648f2528848e8ddd1a |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 77471d919a5e2151fb49f37c315af514 |
| SHA1 | 0687047ed80aa348bdc1657731f21181995b654c |
| SHA256 | 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1 |
| SHA512 | 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5aea1b8e8299dda8688663788d1bf770 |
| SHA1 | 3afb4c592f99b6a99de407532fef2831ab8a930f |
| SHA256 | e15b172d6fad36154885bdb3d1ae14d71d989d6ba515f6359096dd58816b4e19 |
| SHA512 | 140079927980d2c4d8bb90ca35596e25f164b8a42347ea2c39773356ad9f78d543370780545a5e1059a997b1b0d3f1caafd71d1ef30ff38494bd4a89b49d7573 |
memory/2208-58-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 56ecb2ab61b396586fb0e6dc0844990f |
| SHA1 | 1040ba497f46107a5c95824f3359f40ec66429e4 |
| SHA256 | f03de4b928808c3e43c2905a68a2e9a707d5f537553707b0a2a57f7e00c4cfc3 |
| SHA512 | 57ffa0c6b717267607e5a7f6274594bcde4f0c32030b75b3c2b7649f52169a95baa42b4153a35f8e55266fb74e97b97c441d50ab0fafd1313a307b1389aa9ff0 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2bf993fa5e2d87e20a4218ab549b262b |
| SHA1 | d1d16eeb3cb5f7cae33d30583760dc4f443031d1 |
| SHA256 | 89a3b99ff05f5d9a544bc16c6a54297879389c05efa4ef95fc5a833063ed342c |
| SHA512 | 8126c428b55715cee416dd2c65d6069f71db692f6a533c0edef582424a927bb29d9526dedc20fc29ecc5428609427286e8196c093ea346eccd9bfb9a8d2e097b |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 0d20a5253d6047514e8d1fd41c684ec4 |
| SHA1 | 6b737ec431ad97be9a87035c1093ebd2658d65c4 |
| SHA256 | fe8765126fe48275d33647f34480e760aef7d63fece8609229747230d6941139 |
| SHA512 | 15db4de6977964d3838b6f31ed5a4d726ce34d08c0b47b3b46bc18f43cd91fcd55bc6b1c1a6dbd4ea4eda89ba1ed557c97642ea7d152fd3b3ea41a272923a15f |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2dd30fad843742d6b312990ab0a67e77 |
| SHA1 | 3080ed00aa729b4ffc6bd46ddcce4be1e545b51c |
| SHA256 | 1bbf10eb9eadf14518f88aa598ddf9a7b499a3247d971a1971ee752a74f02fd5 |
| SHA512 | 58c19216432e5567edf0a6ddeb975b9d22f61ba8d567104b52cc7d8a6dbbf1d82a3868af7c9cd24ba9f057ba18ab1e0adb7135c98baca2e8e28387c6c08e41b4 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 6200a658245d0bf4fab336e6018a8fef |
| SHA1 | c4bd77e3561eeda70eb68432fa0b146e8777a648 |
| SHA256 | 7ab8cb78dd3a44504e05aacb1daec6771793c4072c4a1e2bdb959799f8e96b66 |
| SHA512 | 496dcb042306af0c59134a4f4b2def798926869f537c6c650d67efc3e803804b88a0d07005fbf8714e7d8fb7dc145419c9da42c6f02d9ac57d41a7353325b5d9 |
memory/2208-61-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 7d95ff2786c422490e91b4d7774ec70d |
| SHA1 | 937486fb8c2bfd0a25e814996165f31e065603fd |
| SHA256 | 1e62191715b9be43a266e9d08fe24f0c9135b89cc05fc3f07aee139b872939d1 |
| SHA512 | ed14d1998dc417d18aab7312925d569ea344fc7f0b91cea6d00435e05f82a672a84dde2e0a138c4a1d8a83e034039774e114bfa875bdbb173593ebb0f7864b72 |
\Users\Admin\AppData\Local\Temp\is-LR9IC.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
memory/1620-93-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-7PON8.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-7PON8.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-7PON8.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 66674569903f2a90acfdef331aad67bf |
| SHA1 | a4f2ebb97f7fa9093341fdc129de14fc4c2a893a |
| SHA256 | e7a0b394f6dc3f90f5eeaef5f26d99006d53d4e9bf3b43379ffd5495ed6161da |
| SHA512 | 85b86ce3d680862d9cb8fe38973e16006c55222097296831972507182ac0c6b272db6a56f013be844581fef059cbf993cbc152c4cdecf0cc8731bbe9e3e5f1f1 |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 69bbbb888e3d4373481b8c515b38d3b0 |
| SHA1 | 7b6ec3fe00571288966d7075740fb07cd8a57e93 |
| SHA256 | 4a979cd967dd657fb071322613e0c7fcd4859fedd53de75893ddda1b6e7eed67 |
| SHA512 | bfbce2e90fea487c1846c74fb838c639d3f908c0258e16a2eaab2820fd02d60f2e9d0298177ab08cc64cd118f7bef56a3cdd11810ab304d58e916672952d1584 |
memory/1304-111-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 0fd81243a2e538c22664c1b11221fb4f |
| SHA1 | 4cc1da36503eaebad040240836b70f16816a63ab |
| SHA256 | 34b349e5c7eddb63bd584e89fa99c09313bda2c0856643513445d150024e1329 |
| SHA512 | 7baf80085357c29144b85a3ee397b604f47e663eb7200363caae8b245480d7db21fb4b3be696ea88b9d12eaf7847c62532d9377d1f7e2760a0f8b6f42f33c57a |
memory/2688-108-0x00000000741C0000-0x00000000748AE000-memory.dmp
memory/1304-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2536-106-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2536-101-0x00000000008A0000-0x00000000009A0000-memory.dmp
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | dd4333b6304f452c29ede8fa0f45e6eb |
| SHA1 | 0c9add6eba024b733ee69e8f0370219ec367f119 |
| SHA256 | 697534086ae314b7dcc74e416b0da6c50954664f5a4e6e0a0ea544bcdeca1a6f |
| SHA512 | f48bb5ae24000b52f789ea17b78bb08211a59c3f3f2692660e22881f7d80dd9116773dd8ed486a75cf5fe30a7f9e5c113ee2e8b72d64b92436bfb01a3de4e49c |
memory/1304-113-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2016-115-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/3068-114-0x00000000741C0000-0x00000000748AE000-memory.dmp
memory/2612-116-0x0000000002870000-0x0000000002C68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8A19.exe
| MD5 | 23f7cbe7397a241007f4efa7372c8c8a |
| SHA1 | 7796cd7d84a9aeb4ed042b68d6fad2bddd19dbf5 |
| SHA256 | 54847282432bdb5fcf28b4d8cca759b9d78b400b7f1796305373eca96d4d4124 |
| SHA512 | 95f0771ecb86968c58e8833d7cbe50ca7d97013ac66223fd5f7ba0a3b51e6dad9dc86a044831039aa1afec3d0b0d102f06aa88c6be5dcfac84a9e7128b2d8913 |
C:\Users\Admin\AppData\Local\Temp\8A19.exe
| MD5 | ff35db5d1edf2aa99c8e357778ee9161 |
| SHA1 | 77ebf1a613d558162813185c36bdb41249a61f30 |
| SHA256 | 15913660b72717a6a6424a2f89b4d04263e4b0f963d68ba42892c56dbb988549 |
| SHA512 | e624b382faf0214d2357cb666eb3fdb3ff7140a54964b06a0c9fdc4aa1365ee8ed18d6fa2f8781df320645f638268fa6570b2b41a8389421fe8e79b831ed5de3 |
memory/3068-122-0x00000000073F0000-0x0000000007430000-memory.dmp
memory/1364-123-0x00000000741C0000-0x00000000748AE000-memory.dmp
memory/1364-125-0x0000000000E20000-0x0000000001314000-memory.dmp
memory/2208-126-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2612-124-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1620-127-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2612-128-0x0000000002870000-0x0000000002C68000-memory.dmp
memory/1328-129-0x0000000003C30000-0x0000000003C46000-memory.dmp
memory/1304-131-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2612-130-0x0000000002C70000-0x000000000355B000-memory.dmp
memory/2612-135-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1364-136-0x0000000004E50000-0x0000000004E90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9EC2.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/2584-143-0x0000000001220000-0x000000000125C000-memory.dmp
memory/2584-142-0x00000000741C0000-0x00000000748AE000-memory.dmp
memory/2584-144-0x00000000006A0000-0x00000000006E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-12 11:15
Reported
2023-12-12 11:18
Platform
win10v2004-20231127-en
Max time kernel
36s
Max time network
114s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C15C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F31B.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3328 wrote to memory of 4664 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C15C.exe |
| PID 3328 wrote to memory of 4664 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C15C.exe |
| PID 3328 wrote to memory of 4664 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C15C.exe |
| PID 3328 wrote to memory of 920 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F31B.exe |
| PID 3328 wrote to memory of 920 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F31B.exe |
| PID 3328 wrote to memory of 920 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F31B.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000017081-699.exe"
C:\Users\Admin\AppData\Local\Temp\C15C.exe
C:\Users\Admin\AppData\Local\Temp\C15C.exe
C:\Users\Admin\AppData\Local\Temp\F31B.exe
C:\Users\Admin\AppData\Local\Temp\F31B.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-D245V.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D245V.tmp\tuc3.tmp" /SL5="$60208,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\3361.exe
C:\Users\Admin\AppData\Local\Temp\3361.exe
C:\Users\Admin\AppData\Local\Temp\36BE.exe
C:\Users\Admin\AppData\Local\Temp\36BE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 226.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| FR | 185.221.198.96:80 | tcp |
Files
memory/816-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3328-1-0x0000000002C10000-0x0000000002C26000-memory.dmp
memory/816-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C15C.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
C:\Users\Admin\AppData\Local\Temp\F31B.exe
| MD5 | 182f265abbc7317733d9fb4511a75413 |
| SHA1 | 125ee52102e53165ad504a617dc6734716277a64 |
| SHA256 | 31ef26b8caa38f15134995b4a35df616425749c1d1fff3cbad7d8c7898773e8c |
| SHA512 | 6de079460cbe416258a6ae9c979aa8358dc6f89b0005ce2ee819ffbd6bf19416d48a615a69ad795229fa065e3453649c74c06205e95426d7024a0a9810ce81df |
C:\Users\Admin\AppData\Local\Temp\F31B.exe
| MD5 | 53380a0df6bf654427359ee369de9246 |
| SHA1 | 869c6464db839f68d3e06d7f224df680806d1148 |
| SHA256 | 5ccee9f788146cf159dc18c2621431e65ad620282c1d54363b83a01c3e93146d |
| SHA512 | 127716c98b8ff1323b69bb573686e27eeda1e6d93fa57c7ec04269ce4bb5ac7c763481b4843004a6884aed2b89966866482c0132358da1eee1e6bd9973c9f4a2 |
memory/920-16-0x0000000074AE0000-0x0000000075290000-memory.dmp
memory/920-17-0x0000000000CD0000-0x0000000002186000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 6246bba6e701914c6af47e5454ace1fc |
| SHA1 | 468ee8bd2779e91e4806c325b1a77538c82d05ab |
| SHA256 | f40e84be9953bf938ea55baca45c1dd17b871f69a73d36d6e5dc9e61de15d6b3 |
| SHA512 | a0825fe77c178ab67bfededd09d770a282f8acae1683a3b6df8590dbc4b9e0056db7a6a786321257f1dc24daaff0167f7c680478fabaa94fbc92e8a51459ec18 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 6bba7f56e9dab07c3b0c9ca0391dfece |
| SHA1 | 53bc13b076534a81ae68dfe56111b6b099274355 |
| SHA256 | 8f49b7a3769645b800567639741e14c783042530a6201c7529a398dadba62a18 |
| SHA512 | 7cfa54e06b7fc22c058f7cf49b8010c9e1f11d005647d59437a87eb30eed1db67ffd7ccbc80c9b056994a6065e61779bda8582438809e4b554a98aca1bc8e29f |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 4da7cd4ff1ed7974da326f0d2f776c54 |
| SHA1 | f2410abc08d59e9200a9a800c43276f6984add0f |
| SHA256 | 92e1a010f0d2e4c5f87c4bf44a50c4af2617d5336fde68ad52167a2f01476557 |
| SHA512 | 6318f995d1698a50ff355b934c4246396c6a124ab65a194cf15819e9b0cbd346594034afd08da24299ad7eeadf52bddb43507fa63965ea4af46b4d31ce9293d6 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | bf61d7271f0a302b63457e4278b966ac |
| SHA1 | a60a0d1235b377664d24b8266d23cd24323df483 |
| SHA256 | 3300291247d2b2cff4b602a9bc8ac382f824d677513f175190fdb642a462b9b3 |
| SHA512 | 08ebf2aca164b57937d6974ccab2e7fc62a5175da1fc7b13aa81f8e6e1ddb35754287d86910a566717ad7b4d0dc8f4043ac687ea2490f0710a2c89c8f6acd2f5 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f5685f9645f54b5e14e50491c7510400 |
| SHA1 | 23dbb0d8898238f3b74d3f28255521c1dd8b4696 |
| SHA256 | d98debba162e7bdd569422e0e226c882c52da2d21122c16911a04c7519117d12 |
| SHA512 | 1991c06858dc865f7d14935a7ce16ef6df458b2991fa5abd86bc1deacf72dfd27f893d4618387874ceec61e232ea65744add6e24afb4deec93c2e65bc51dbcbd |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | bade85bda599575ef7a184fadc9ed0d8 |
| SHA1 | f09e158b0dd17bdbdb36c809ac66d3df7339a323 |
| SHA256 | 4d281a56b8beeba6b562c5b6e749bdb3ec453897843461becfff7a968a5c8a50 |
| SHA512 | d43963a9c27ed40ee9ec52737d957844012f319be638a376f2c1e60f0ff7b05e931995c8adb090612f950de5832920da2d60ebaec0accb43f9c5a17e8fe3bbe7 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 32b65371fe3391c0626ee3115787473c |
| SHA1 | bab2061d2abe69f1d067b8f3b00e3c086db449bc |
| SHA256 | 2fd8fe1f27dba2ad34eb0677c66ea8430f7d8e13d56dcf19af9dd96757c03ccb |
| SHA512 | 608798eb7cd9431178778298b196709f2d3c7c9745767de2c720303b814c2549455facadfb61a3aa69a7b7fe6888f3ca2d4fc17eb186a23f416e962bedd7b0a6 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | e20f3caf2bb268a96a86bae9511862e6 |
| SHA1 | 1fa8d89670e61870ea8722995472496262dd51d3 |
| SHA256 | 7172b3f895d532098d57ffc7f276fcd7acae91919ac5a036def4f54edc0862dc |
| SHA512 | 6d7760bd76013b5ba61be73c293eab6f1522a508cdf736e6e1352a61904e976c4fec9eb0d86ec5fe8ec12cd0537425971bb497b89260221cf3083500e0c62fa6 |
memory/3128-59-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | df5dfc67daa14d0fb30d4b2e4193bd2d |
| SHA1 | 8ab837661f393e3949c5dd0647c0dc68767aa4a5 |
| SHA256 | 171db0491441ac4c9e5a966a52e3e5ad578ee999548cc4a02b5968dad5afb58e |
| SHA512 | 09152a498f6079ef0961dd7865be386dc5e68844fbe11e1e5f8905f2557e3184d7b4fd1020d84b6b3cfa0d55b3c97f439c37941fc1ffa125dd5678a38158a316 |
memory/4620-60-0x0000000000E00000-0x0000000000E01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 12ee6bd2e15925df101867cc29dddc25 |
| SHA1 | 14b79a05fa8ae46b4c48968d5a879e046e84f467 |
| SHA256 | f73c2d23767500f362c7011fe28c4e4c83f56466e9c53ac872c91b35ed73639b |
| SHA512 | 5e68426c238f298d97f706e17d2687d99fa3bd2124698674c028b22dea8a76cbd158b43a67061a670c002b0af7120f673b89c040f3b9409abc693d94fa84b881 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 779985bb5d7eb4ddcc9024be54a82a3b |
| SHA1 | c8632555a702f2957ec7331f45bc28f9835678fa |
| SHA256 | a0662906f536a0238a43e8682c68288e2a74a07ab4019a2adbbc6febcde8a590 |
| SHA512 | 404dae83810681ce9052ec5c002ecb309a7eb6e3a82bb14bc891e1eebc5e5a46484edceb36ffd511119f02347e6891dad935be4c7b47af1a4512cd0a25571baf |
C:\Users\Admin\AppData\Local\Temp\is-D245V.tmp\tuc3.tmp
| MD5 | a3555f5c4045b50dcbcd509833c7af26 |
| SHA1 | 1125e3fb466477e5a1c8277afc57907532e6099c |
| SHA256 | 5c545cda929a154663c19b6d0c59dbbe187f0a0e880463990bb59c722eff620c |
| SHA512 | 2322221dfe0778197e2c45c49ca0d4128966c9c7053048562f86c9e7f107b147b5a0d92430fb718fb07d3770dc0c45b738c1655cc1f85a412e6d68b4654ed435 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | a7867bda40f5bc5cda1aa4ae32415a94 |
| SHA1 | b96c1e9525615fef0552887f909423ef4afce079 |
| SHA256 | af25460cb128d9bbf2f2d60017a86aa28ebad7a7cadcfbe4c7db0d3201b71b0d |
| SHA512 | d2c4bd28772e5f53e3bb1814deb969ad649975768ab2e0f4bf8535e617dcf25227c7dfb83723b4b2fe38c1176ad0e6d9be48795d0cc41045b9742751c1f445e5 |
C:\Users\Admin\AppData\Local\Temp\is-951T6.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2364-90-0x00000000020C0000-0x00000000020C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-951T6.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/920-91-0x0000000074AE0000-0x0000000075290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-D245V.tmp\tuc3.tmp
| MD5 | 96b475fa9f960b578b723ad447a5dc57 |
| SHA1 | f42718147e85e69231844f0694299e811eaed6f4 |
| SHA256 | 30e0eccbc931d7257013e8aa9755afbae6d7b7de7140ff8fd32bd4b22903c72a |
| SHA512 | f3116ee1c7e5108cf57cfb572201209fc88f1aa74b1b760d4266fecc40ae0b0bc921085cb2c562f9a4d9ea5b4a56baaa19e2d0d08ca8520797bf60297cc838f5 |
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 32e6b7db84041aa6529e63e9f063b8a6 |
| SHA1 | 1eeb346d9d7bed83d1af3897b3e2af14295bf069 |
| SHA256 | 580f7efaaf6ae80342d00d50d4b8b2f17f599e4d25e720c0f98574204e6dc5ad |
| SHA512 | 77f57425c724f752fbc4d1d245cf4891e3fa2400a512521140a5b584de5755645b322351eacdf3e2e92747275623fde02583da823ba8152ebf7ca5419f837aca |
memory/5136-220-0x0000000000400000-0x0000000000785000-memory.dmp
memory/5136-219-0x0000000000400000-0x0000000000785000-memory.dmp
memory/5136-223-0x0000000000400000-0x0000000000785000-memory.dmp
C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe
| MD5 | accae766f9671972fc6fcaf7a7db6917 |
| SHA1 | 3d652e598368be6609e126cc3c4ec80d36f66f8c |
| SHA256 | aafdd592e7503d969650b8f11bf730ebd4c2ea5b206ac8a944ac7196d5030640 |
| SHA512 | 215278e24c21fba3d025f1ff3be6491cb4cec515ce85143ab84c25866d5d4b3de0897b2fbf4d04ebfad1feeb6d135e81ebfd59e8be2e1db8028e7604841bc849 |
memory/5136-224-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | a3d3c58e76c3acb623aa6904e96d153d |
| SHA1 | 79072e329de8fcb0c954f5f6abdae1ad6f69f19f |
| SHA256 | 4fcb601c52366aadd553c59c2d11090ab463c833e7e1b54cabaf4d47f2cece59 |
| SHA512 | 9bdcb9012878e5f80d4b46c332957c3e60505a34bcac059c314a32c9960c00f8b388decac8f32f75de776170e9757a4a340b73b49c5897cc71cc45fbb2a2965a |
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 3fbc90157548de530f038688fad2caaa |
| SHA1 | 2babd084151d5d5a543d2b37612cce5e863f423b |
| SHA256 | 0e187baafb9bf09df81c053109298f7943b31f01432e126ec545f8278f021150 |
| SHA512 | 5525cf5501fd75dc3117beeb05e6671e0b1c0f9b3338fd0ab0fa4c0afe105c8ba2ad503803b517f5546538024a894559ed734f1f032996d9e0532d81c89b9b5e |
memory/5224-227-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4664-230-0x0000000002C70000-0x0000000002CAC000-memory.dmp
memory/1588-235-0x0000000002A30000-0x0000000002E38000-memory.dmp
memory/1588-236-0x0000000002E40000-0x000000000372B000-memory.dmp
memory/4664-237-0x0000000074360000-0x0000000074B10000-memory.dmp
memory/1588-238-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4664-239-0x0000000007FB0000-0x0000000008554000-memory.dmp
memory/4664-240-0x0000000007B00000-0x0000000007B92000-memory.dmp
memory/1820-242-0x0000000000860000-0x0000000000869000-memory.dmp
memory/5452-244-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3128-247-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4620-248-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/5452-249-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4664-246-0x0000000007BC0000-0x0000000007BCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | c82547ec85f6ab90edb1dd4ea608e2be |
| SHA1 | cd4a8694b98a2846924ee96425d1f7bb1f268f5a |
| SHA256 | 71c352d0bc697a7cd868f2cc18179a067e833c7ad538ebd4b9d5055eac40d568 |
| SHA512 | ed5c45fbab5542e0a84a9a81f40408cfa727aa5afdcf55582900baf283792fa655e7cbdc85764b41b69c480e47566d7e292e66485ccb7825511fa1d5bcde99ab |
memory/1820-243-0x00000000008A0000-0x00000000009A0000-memory.dmp
memory/4664-241-0x0000000007CE0000-0x0000000007CF0000-memory.dmp
memory/4664-250-0x0000000009040000-0x0000000009658000-memory.dmp
memory/4664-251-0x000000000A9D0000-0x000000000AADA000-memory.dmp
memory/4664-252-0x0000000009010000-0x0000000009022000-memory.dmp
memory/4664-253-0x000000000A900000-0x000000000A93C000-memory.dmp
memory/4664-254-0x000000000A940000-0x000000000A98C000-memory.dmp
memory/5572-255-0x0000000003030000-0x0000000003066000-memory.dmp
memory/1588-256-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/5572-257-0x00000000057B0000-0x0000000005DD8000-memory.dmp
memory/5572-258-0x0000000074360000-0x0000000074B10000-memory.dmp
memory/5572-261-0x0000000003130000-0x0000000003140000-memory.dmp
memory/5572-260-0x0000000003130000-0x0000000003140000-memory.dmp
memory/4620-259-0x0000000000400000-0x0000000000965000-memory.dmp
memory/5572-268-0x0000000005F10000-0x0000000005F76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jt25b4cy.qxd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5572-262-0x0000000005760000-0x0000000005782000-memory.dmp
memory/5572-273-0x00000000060F0000-0x0000000006156000-memory.dmp
memory/5572-274-0x0000000006430000-0x0000000006784000-memory.dmp
memory/5572-275-0x00000000062C0000-0x00000000062DE000-memory.dmp
memory/3308-277-0x00007FF75E850000-0x00007FF75EDF1000-memory.dmp
memory/2364-278-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5572-279-0x0000000006B80000-0x0000000006BC4000-memory.dmp
memory/5572-280-0x0000000003130000-0x0000000003140000-memory.dmp
memory/5572-281-0x0000000007950000-0x00000000079C6000-memory.dmp
memory/5572-283-0x00000000079F0000-0x0000000007A0A000-memory.dmp
memory/5572-282-0x0000000008050000-0x00000000086CA000-memory.dmp
memory/5224-284-0x0000000000400000-0x0000000000785000-memory.dmp
memory/5572-288-0x000000006C990000-0x000000006CCE4000-memory.dmp
memory/5452-300-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5572-302-0x0000000007BF0000-0x0000000007C93000-memory.dmp
memory/5572-299-0x0000000007B90000-0x0000000007BAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3361.exe
| MD5 | e5d914eb885374e422d3c7a0544040a4 |
| SHA1 | 185bb8714515d06dd4b106782fd86a486652b0b8 |
| SHA256 | b59ddc0eb1e040eb6be1011bdd40e56c92cf718ebb54584c3ea066ec9181d1de |
| SHA512 | a5a6e664ad479dc599be21568257a4d08c4061d8bba8cd0927e2e08834bd3979aa82949a3ca7cecc8109130396f3cf449164f67dfe6fb936bf3e3a875389592a |
C:\Users\Admin\AppData\Local\Temp\3361.exe
| MD5 | 9243f0b25a2d945c4f28f40a1463f6c3 |
| SHA1 | 5111d5252b9ef7de293d3eebe73fc64ae72e5ab2 |
| SHA256 | eaf8944714ba86140c58e06327b1267f4e478d4941e96c025e8ae579394bcad0 |
| SHA512 | 74265f937aa176e8147350afbff494e2582aefff897695204ad4750a03d91b69f89dd597aed876d10f957d483e690434b661d44d689e76164a612bab24436f9a |
memory/5224-310-0x0000000000400000-0x0000000000785000-memory.dmp
memory/6020-311-0x00000000005E0000-0x0000000000AD4000-memory.dmp
memory/1588-312-0x0000000002E40000-0x000000000372B000-memory.dmp
memory/5572-306-0x0000000007CE0000-0x0000000007CEA000-memory.dmp
memory/6020-313-0x0000000074360000-0x0000000074B10000-memory.dmp
memory/3328-298-0x0000000000AB0000-0x0000000000AC6000-memory.dmp
memory/5572-316-0x0000000007DF0000-0x0000000007E86000-memory.dmp
memory/1588-317-0x0000000002A30000-0x0000000002E38000-memory.dmp
memory/6020-315-0x0000000005640000-0x00000000056DC000-memory.dmp
memory/4664-318-0x0000000074360000-0x0000000074B10000-memory.dmp
memory/6020-319-0x0000000005630000-0x0000000005640000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\36BE.exe
| MD5 | 26fd5503310b8cf6fb27442b3874d669 |
| SHA1 | 13735ed17a04beb6977eba7fdfa7bd8811948efd |
| SHA256 | 92ba6d031f40688e89e00a7f5af6fcb5dd47fc8981e76b6692089e90429ed9f1 |
| SHA512 | 9363b098777210fb7f3817c340f4e2087a70eee99fd0aaf00c93e6dfb3be27c7e6b93b07db1b24edca7d55ed18f3557b6e232e7b4979e9ba27b70ee999e19703 |
C:\Users\Admin\AppData\Local\Temp\36BE.exe
| MD5 | 63353d70a6e90b54fac07e0187bbf0ba |
| SHA1 | 6149408d97958692b1dc9308a97e1eb4601b8a89 |
| SHA256 | 86a107ab19bda413112664d0e8df906836d882039fdb2b35391af217788cc77a |
| SHA512 | f16f328e14fbd2ba8841ca723ca145a70061dfb117306160780c3f11d6df423e611042742bbf9e3f96f8d39611271c5dd5b4b1e3d9ed2d8da41a93af841771ab |
memory/5572-287-0x00000000722F0000-0x000000007233C000-memory.dmp
memory/5572-286-0x000000007F620000-0x000000007F630000-memory.dmp
memory/5572-285-0x0000000007BB0000-0x0000000007BE2000-memory.dmp