Malware Analysis Report

2025-04-14 07:22

Sample ID 230914-yjehcshc95
Target 8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda
SHA256 8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda
Tags
amadey fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda

Threat Level: Known bad

The file 8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda was found to be: Known bad.

Malicious Activity Summary

amadey fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor infostealer spyware stealer trojan

Amadey

Detect Fabookie payload

RedLine

Fabookie

SmokeLoader

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 19:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 19:48

Reported

2023-09-14 19:51

Platform

win10-20230831-en

Max time kernel

62s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 3804 N/A N/A C:\Users\Admin\AppData\Local\Temp\9640.exe
PID 3164 wrote to memory of 3804 N/A N/A C:\Users\Admin\AppData\Local\Temp\9640.exe
PID 3164 wrote to memory of 3804 N/A N/A C:\Users\Admin\AppData\Local\Temp\9640.exe
PID 3164 wrote to memory of 2120 N/A N/A C:\Users\Admin\AppData\Local\Temp\97C7.exe
PID 3164 wrote to memory of 2120 N/A N/A C:\Users\Admin\AppData\Local\Temp\97C7.exe
PID 3164 wrote to memory of 2120 N/A N/A C:\Users\Admin\AppData\Local\Temp\97C7.exe
PID 3164 wrote to memory of 1752 N/A N/A C:\Users\Admin\AppData\Local\Temp\98C2.exe
PID 3164 wrote to memory of 1752 N/A N/A C:\Users\Admin\AppData\Local\Temp\98C2.exe
PID 3164 wrote to memory of 1752 N/A N/A C:\Users\Admin\AppData\Local\Temp\98C2.exe
PID 3164 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8F0.exe
PID 3164 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8F0.exe
PID 3164 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\Temp\A8F0.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda.exe

"C:\Users\Admin\AppData\Local\Temp\8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda.exe"

C:\Users\Admin\AppData\Local\Temp\9640.exe

C:\Users\Admin\AppData\Local\Temp\9640.exe

C:\Users\Admin\AppData\Local\Temp\97C7.exe

C:\Users\Admin\AppData\Local\Temp\97C7.exe

C:\Users\Admin\AppData\Local\Temp\98C2.exe

C:\Users\Admin\AppData\Local\Temp\98C2.exe

C:\Users\Admin\AppData\Local\Temp\A8F0.exe

C:\Users\Admin\AppData\Local\Temp\A8F0.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\AAB6.exe

C:\Users\Admin\AppData\Local\Temp\AAB6.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\B084.exe

C:\Users\Admin\AppData\Local\Temp\B084.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B5C4.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\B5C4.dll

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\B8A4.exe

C:\Users\Admin\AppData\Local\Temp\B8A4.exe

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\CBDF.exe

C:\Users\Admin\AppData\Local\Temp\CBDF.exe

C:\Users\Admin\AppData\Local\Temp\D3CF.exe

C:\Users\Admin\AppData\Local\Temp\D3CF.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\iasiitt

C:\Users\Admin\AppData\Roaming\iasiitt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
RO 109.98.58.98:80 colisumy.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 98.58.98.109.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 38.181.25.43:3325 tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
RO 109.98.58.98:80 colisumy.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 advocaciasch.com.br udp
US 142.4.24.122:443 advocaciasch.com.br tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 122.24.4.142.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 146.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 95.214.27.254:80 tcp
US 95.214.27.254:80 tcp

Files

memory/5064-0-0x0000000002080000-0x0000000002095000-memory.dmp

memory/5064-1-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/5064-2-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3164-3-0x0000000001310000-0x0000000001326000-memory.dmp

memory/5064-4-0x0000000000400000-0x0000000000480000-memory.dmp

memory/5064-8-0x0000000002080000-0x0000000002095000-memory.dmp

memory/5064-7-0x00000000001F0000-0x00000000001F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9640.exe

MD5 dc5615001beac210a3b6e354f74a12aa
SHA1 2cc060676e7309a356bf8a2cf50df1bcf5a87438
SHA256 3e61a9a7360016cd5ef2d22988a2ff1ca3d8d82113c26758378310db3a8ee4b0
SHA512 805ad821ef0875ea7bd8450e98c6a07f5b988407893539843a7397efd76ff5bdb847ae1a56cc3f2c0f3006f3798ca1d06277571f237d2d5ef05eba19a13a3ae7

C:\Users\Admin\AppData\Local\Temp\9640.exe

MD5 dc5615001beac210a3b6e354f74a12aa
SHA1 2cc060676e7309a356bf8a2cf50df1bcf5a87438
SHA256 3e61a9a7360016cd5ef2d22988a2ff1ca3d8d82113c26758378310db3a8ee4b0
SHA512 805ad821ef0875ea7bd8450e98c6a07f5b988407893539843a7397efd76ff5bdb847ae1a56cc3f2c0f3006f3798ca1d06277571f237d2d5ef05eba19a13a3ae7

C:\Users\Admin\AppData\Local\Temp\97C7.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\97C7.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\98C2.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/2120-25-0x0000000000790000-0x00000000007C0000-memory.dmp

memory/2120-24-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\98C2.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/2120-30-0x00000000735A0000-0x0000000073C8E000-memory.dmp

memory/1752-32-0x00000000008B0000-0x00000000008E0000-memory.dmp

memory/2120-31-0x0000000002430000-0x0000000002436000-memory.dmp

memory/1752-33-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1752-37-0x00000000735A0000-0x0000000073C8E000-memory.dmp

memory/1752-38-0x00000000022E0000-0x00000000022E6000-memory.dmp

memory/1752-39-0x0000000004AB0000-0x00000000050B6000-memory.dmp

memory/1752-40-0x00000000050C0000-0x00000000051CA000-memory.dmp

memory/1752-42-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

memory/2120-41-0x000000000A5E0000-0x000000000A5F2000-memory.dmp

memory/2120-43-0x0000000004B20000-0x0000000004B30000-memory.dmp

memory/1752-44-0x00000000051F0000-0x000000000522E000-memory.dmp

memory/1752-45-0x0000000005290000-0x00000000052DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8F0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\A8F0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\AAB6.exe

MD5 c82816b9cae5ab07c38a317572f3453f
SHA1 ce1911787bf09e30932a07308e9f1b04dcf7f3dd
SHA256 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695
SHA512 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b

C:\Users\Admin\AppData\Local\Temp\AAB6.exe

MD5 c82816b9cae5ab07c38a317572f3453f
SHA1 ce1911787bf09e30932a07308e9f1b04dcf7f3dd
SHA256 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695
SHA512 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b

memory/2996-60-0x0000022F2EF80000-0x0000022F2F014000-memory.dmp

memory/2996-62-0x00007FFCD57F0000-0x00007FFCD61DC000-memory.dmp

memory/2996-63-0x0000022F2F3C0000-0x0000022F2F3DA000-memory.dmp

memory/2996-65-0x0000022F495C0000-0x0000022F495D0000-memory.dmp

memory/2996-66-0x0000022F49620000-0x0000022F496A8000-memory.dmp

memory/2996-64-0x0000022F2F3A0000-0x0000022F2F3A6000-memory.dmp

memory/2996-61-0x0000022F2F390000-0x0000022F2F398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B084.exe

MD5 dc5615001beac210a3b6e354f74a12aa
SHA1 2cc060676e7309a356bf8a2cf50df1bcf5a87438
SHA256 3e61a9a7360016cd5ef2d22988a2ff1ca3d8d82113c26758378310db3a8ee4b0
SHA512 805ad821ef0875ea7bd8450e98c6a07f5b988407893539843a7397efd76ff5bdb847ae1a56cc3f2c0f3006f3798ca1d06277571f237d2d5ef05eba19a13a3ae7

C:\Users\Admin\AppData\Local\Temp\B084.exe

MD5 dc5615001beac210a3b6e354f74a12aa
SHA1 2cc060676e7309a356bf8a2cf50df1bcf5a87438
SHA256 3e61a9a7360016cd5ef2d22988a2ff1ca3d8d82113c26758378310db3a8ee4b0
SHA512 805ad821ef0875ea7bd8450e98c6a07f5b988407893539843a7397efd76ff5bdb847ae1a56cc3f2c0f3006f3798ca1d06277571f237d2d5ef05eba19a13a3ae7

memory/2120-69-0x00000000735A0000-0x0000000073C8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5C4.dll

MD5 cd473f96a31e502950837fb6ed2fe819
SHA1 87bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256 b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

C:\Users\Admin\AppData\Local\Temp\B8A4.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

\Users\Admin\AppData\Local\Temp\B5C4.dll

MD5 cd473f96a31e502950837fb6ed2fe819
SHA1 87bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256 b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94

memory/1752-85-0x00000000735A0000-0x0000000073C8E000-memory.dmp

memory/2968-86-0x0000000010000000-0x00000000102D3000-memory.dmp

memory/2968-87-0x0000000002FF0000-0x0000000002FF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8A4.exe

MD5 c2273e3679c0660d8b4cd294ec6f88a7
SHA1 1b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256 d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512 afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d

memory/1752-89-0x00000000053D0000-0x0000000005446000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/2120-97-0x0000000004B20000-0x0000000004B30000-memory.dmp

memory/1752-95-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

memory/2120-96-0x000000000A910000-0x000000000AE0E000-memory.dmp

memory/1752-92-0x0000000005450000-0x00000000054E2000-memory.dmp

memory/4900-98-0x00007FF66BAD0000-0x00007FF66BB08000-memory.dmp

memory/1752-99-0x0000000005BE0000-0x0000000005C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CBDF.exe

MD5 1485d83b79bb024711c8bcfc1a64d966
SHA1 118140bd543e554d0cff2bf496a41399c60b64ba
SHA256 dccad8c3c2534c08ac2801c04b853d71d8b3fec32b0b2bed3c5db2127c5ed155
SHA512 8746d2997f3fafa50bf7d1e6d58533ab42a5e26110f7b755321b571f5a74b4e3d5ad8fe3be5c68bb1458e462515e83f6ceb66dd55ccd2f0ef63f1256e89faa5f

C:\Users\Admin\AppData\Local\Temp\CBDF.exe

MD5 1485d83b79bb024711c8bcfc1a64d966
SHA1 118140bd543e554d0cff2bf496a41399c60b64ba
SHA256 dccad8c3c2534c08ac2801c04b853d71d8b3fec32b0b2bed3c5db2127c5ed155
SHA512 8746d2997f3fafa50bf7d1e6d58533ab42a5e26110f7b755321b571f5a74b4e3d5ad8fe3be5c68bb1458e462515e83f6ceb66dd55ccd2f0ef63f1256e89faa5f

memory/2996-105-0x00007FFCD57F0000-0x00007FFCD61DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D3CF.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

memory/2996-111-0x0000022F495C0000-0x0000022F495D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D3CF.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

memory/4900-122-0x00000000038F0000-0x0000000003A61000-memory.dmp

memory/4900-123-0x0000000003A70000-0x0000000003BA1000-memory.dmp

memory/2876-124-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2876-128-0x00000000735A0000-0x0000000073C8E000-memory.dmp

memory/2876-131-0x0000000005720000-0x0000000005726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2876-133-0x0000000005710000-0x0000000005720000-memory.dmp

C:\Users\Admin\AppData\Roaming\iasiitt

MD5 3c3409ec6fad654d3b38581071dab828
SHA1 eb7e07764c034b22f8d566cbf18db6cba33fe3e8
SHA256 8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda
SHA512 74151999df37f6fb8ecfdc5c816a16eac7377231263a6ccfeb93bd350d9ca0fecc4621cd9ee907a1bcd2b64f8d5a9257ee39aee57fa0390db0436e4f01119854

memory/1752-139-0x0000000004960000-0x00000000049B0000-memory.dmp

memory/1752-140-0x00000000061E0000-0x00000000063A2000-memory.dmp

memory/1752-142-0x00000000063B0000-0x00000000068DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\iasiitt

MD5 3c3409ec6fad654d3b38581071dab828
SHA1 eb7e07764c034b22f8d566cbf18db6cba33fe3e8
SHA256 8110132c921704067eaefbc8610e9a802dd36df27a33c23728301b344a91fcda
SHA512 74151999df37f6fb8ecfdc5c816a16eac7377231263a6ccfeb93bd350d9ca0fecc4621cd9ee907a1bcd2b64f8d5a9257ee39aee57fa0390db0436e4f01119854

memory/2968-144-0x0000000005110000-0x0000000005212000-memory.dmp

memory/4900-145-0x0000000003A70000-0x0000000003BA1000-memory.dmp

memory/2968-147-0x0000000005220000-0x0000000005308000-memory.dmp

memory/2968-146-0x0000000005220000-0x0000000005308000-memory.dmp

memory/2968-149-0x0000000005220000-0x0000000005308000-memory.dmp

memory/2968-150-0x0000000005220000-0x0000000005308000-memory.dmp

memory/2876-151-0x00000000735A0000-0x0000000073C8E000-memory.dmp

memory/2876-154-0x0000000005710000-0x0000000005720000-memory.dmp

memory/1752-157-0x00000000735A0000-0x0000000073C8E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 e49363be96a39de62876e4b1adcc0087
SHA1 298c43845f3ede76589c47495e2e7a2918ccc684
SHA256 ec17de230ef7dd522a828d76352ac9d2b98d9fb01122c0b19386e0ebd2e2459f
SHA512 869ad2034367c3bd7d096a1163950d29acd68a76769e56d5aaf4113005335e034d1cf1db3f27c75f960559629df58833104921a3afb885c92ce684e14af90b92

memory/2120-215-0x00000000735A0000-0x0000000073C8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00