Malware Analysis Report

2025-08-11 01:39

Sample ID 230226-f25s6afg3t
Target c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9
SHA256 c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9
Tags
smokeloader backdoor trojan warzonerat collection infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9

Threat Level: Known bad

The file c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9 was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan warzonerat collection infostealer persistence rat

Detects Smokeloader packer

WarzoneRat, AveMaria

SmokeLoader

Blocklisted process makes network request

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Accesses Microsoft Outlook profiles

Adds Run key to start application

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-26 05:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-26 05:23

Reported

2023-02-26 05:28

Platform

win7-20230220-en

Max time kernel

300s

Max time network

34s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\agent.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\agent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\agent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\agent.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agent.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\agent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1

C:\Users\Admin\AppData\Local\Temp\agent.exe

"C:\Users\Admin\AppData\Local\Temp\agent.exe"

Network

Country Destination Domain Proto
NL 79.110.62.167:80 79.110.62.167 tcp

Files

memory/1160-58-0x000000001B1A0000-0x000000001B482000-memory.dmp

memory/1160-59-0x0000000002370000-0x0000000002378000-memory.dmp

memory/1160-60-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/1160-61-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/1160-62-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/1160-63-0x00000000028E0000-0x0000000002960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agent.exe

MD5 1496b98fe0530da47982105a87a69bce
SHA1 00719a1b168c8baa3827a161326b157713f9a07a
SHA256 c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512 286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

C:\Users\Admin\AppData\Local\Temp\agent.exe

MD5 1496b98fe0530da47982105a87a69bce
SHA1 00719a1b168c8baa3827a161326b157713f9a07a
SHA256 c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512 286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

memory/1856-71-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1856-73-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1236-72-0x0000000002C00000-0x0000000002C16000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-26 05:23

Reported

2023-02-26 05:28

Platform

win10-20230220-en

Max time kernel

300s

Max time network

295s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

WarzoneRat, AveMaria

rat infostealer warzonerat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C634.exe" C:\Users\Admin\AppData\Local\Temp\C634.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\agent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\agent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\agent.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agent.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\agent.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C568.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\C568.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 4332 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\agent.exe
PID 3032 wrote to memory of 4332 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\agent.exe
PID 3032 wrote to memory of 4332 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\agent.exe
PID 3092 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\Temp\C568.exe
PID 3092 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\Temp\C568.exe
PID 3092 wrote to memory of 1384 N/A N/A C:\Users\Admin\AppData\Local\Temp\C634.exe
PID 3092 wrote to memory of 1384 N/A N/A C:\Users\Admin\AppData\Local\Temp\C634.exe
PID 3092 wrote to memory of 1384 N/A N/A C:\Users\Admin\AppData\Local\Temp\C634.exe
PID 3092 wrote to memory of 2844 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 2844 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 2844 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 2844 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 4540 N/A N/A C:\Windows\explorer.exe
PID 3092 wrote to memory of 4540 N/A N/A C:\Windows\explorer.exe
PID 3092 wrote to memory of 4540 N/A N/A C:\Windows\explorer.exe
PID 3092 wrote to memory of 4412 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 4412 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 4412 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 4412 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 520 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 520 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 520 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 520 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3092 wrote to memory of 3744 N/A N/A C:\Windows\explorer.exe
PID 3092 wrote to memory of 3744 N/A N/A C:\Windows\explorer.exe
PID 3092 wrote to memory of 3744 N/A N/A C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1

C:\Users\Admin\AppData\Local\Temp\agent.exe

"C:\Users\Admin\AppData\Local\Temp\agent.exe"

C:\Users\Admin\AppData\Local\Temp\C568.exe

C:\Users\Admin\AppData\Local\Temp\C568.exe

C:\Users\Admin\AppData\Local\Temp\C634.exe

C:\Users\Admin\AppData\Local\Temp\C634.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Roaming\C568.exe

C:\Users\Admin\AppData\Roaming\C568.exe

Network

Country Destination Domain Proto
NL 79.110.62.167:80 79.110.62.167 tcp
US 8.8.8.8:53 167.62.110.79.in-addr.arpa udp
US 8.8.8.8:53 simplyadvanced1.com udp
NL 79.110.62.167:80 simplyadvanced1.com tcp
NL 79.110.62.167:80 simplyadvanced1.com tcp
NL 212.87.204.251:5200 tcp
US 8.8.8.8:53 251.204.87.212.in-addr.arpa udp
US 20.189.173.12:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
NL 212.87.204.251:51234 tcp
NL 212.87.204.251:51234 tcp

Files

memory/3032-124-0x00000195BF4C0000-0x00000195BF4E2000-memory.dmp

memory/3032-127-0x00000195BF670000-0x00000195BF6E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_spu2tbgw.0lc.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3032-141-0x00000195A6E20000-0x00000195A6E30000-memory.dmp

memory/3032-143-0x00000195A6E20000-0x00000195A6E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\agent.exe

MD5 1496b98fe0530da47982105a87a69bce
SHA1 00719a1b168c8baa3827a161326b157713f9a07a
SHA256 c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512 286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

C:\Users\Admin\AppData\Local\Temp\agent.exe

MD5 1496b98fe0530da47982105a87a69bce
SHA1 00719a1b168c8baa3827a161326b157713f9a07a
SHA256 c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512 286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

memory/4332-162-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3092-163-0x0000000000E60000-0x0000000000E76000-memory.dmp

memory/4332-164-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Roaming\uusjsda

MD5 1496b98fe0530da47982105a87a69bce
SHA1 00719a1b168c8baa3827a161326b157713f9a07a
SHA256 c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512 286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

C:\Users\Admin\AppData\Local\Temp\C568.exe

MD5 978efdcbc93c6c9ac15e01fda1054d7c
SHA1 23e777d93caa97b0f167f728905df31e6efaac23
SHA256 1cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c
SHA512 c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3

C:\Users\Admin\AppData\Local\Temp\C568.exe

MD5 978efdcbc93c6c9ac15e01fda1054d7c
SHA1 23e777d93caa97b0f167f728905df31e6efaac23
SHA256 1cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c
SHA512 c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3

memory/1548-177-0x0000000000470000-0x00000000004E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C634.exe

MD5 4da855885a48a88b2b99abdaf7dbaddb
SHA1 95be38902672a4f729325f4322449fafe52791c4
SHA256 e6e5fa379b321d66c93d236eadc5c81478c821b545a7ff9ac6d07e14ed5a8983
SHA512 4f5855573c3d08d8a11325775230544ecf79f884009a94c30c8bd4547e2ad873224ef1d34fd15b9e91423a5cf4351f22d4aa50be7c14cc2bdc2260c009e61c93

memory/1548-182-0x0000000000F40000-0x0000000000FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C634.exe

MD5 4da855885a48a88b2b99abdaf7dbaddb
SHA1 95be38902672a4f729325f4322449fafe52791c4
SHA256 e6e5fa379b321d66c93d236eadc5c81478c821b545a7ff9ac6d07e14ed5a8983
SHA512 4f5855573c3d08d8a11325775230544ecf79f884009a94c30c8bd4547e2ad873224ef1d34fd15b9e91423a5cf4351f22d4aa50be7c14cc2bdc2260c009e61c93

memory/1548-184-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-185-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-187-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-189-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/2844-191-0x0000000000700000-0x000000000076B000-memory.dmp

memory/1548-193-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/1548-196-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-192-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/2844-195-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/2844-197-0x0000000000700000-0x000000000076B000-memory.dmp

memory/1548-199-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-201-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-203-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-205-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-207-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-209-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-211-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-213-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-215-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/4540-219-0x0000000000C90000-0x0000000000C9C000-memory.dmp

memory/1548-221-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-232-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/4540-234-0x0000000000C90000-0x0000000000C9C000-memory.dmp

memory/1548-235-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-237-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-239-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/2844-240-0x0000000000700000-0x000000000076B000-memory.dmp

memory/1548-242-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-244-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-246-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-248-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-250-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-252-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-254-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-256-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-258-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/1548-260-0x0000000000F40000-0x0000000000FDC000-memory.dmp

memory/4412-261-0x00000000010B0000-0x00000000010B9000-memory.dmp

memory/4412-317-0x0000000000700000-0x000000000076B000-memory.dmp

memory/4412-320-0x00000000010B0000-0x00000000010B9000-memory.dmp

memory/520-504-0x00000000010B0000-0x00000000010B9000-memory.dmp

memory/520-507-0x00000000008D0000-0x00000000008D9000-memory.dmp

memory/3744-681-0x0000000000D30000-0x0000000000D39000-memory.dmp

memory/3744-679-0x00000000008D0000-0x00000000008D9000-memory.dmp

memory/1548-1030-0x0000000002CD0000-0x0000000002D26000-memory.dmp

memory/1548-1031-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/1548-1034-0x0000000002D30000-0x0000000002D7C000-memory.dmp

memory/1548-1035-0x000000001BC70000-0x000000001BCC4000-memory.dmp

C:\Users\Admin\AppData\Roaming\C568.exe

MD5 978efdcbc93c6c9ac15e01fda1054d7c
SHA1 23e777d93caa97b0f167f728905df31e6efaac23
SHA256 1cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c
SHA512 c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3

C:\Users\Admin\AppData\Roaming\C568.exe

MD5 978efdcbc93c6c9ac15e01fda1054d7c
SHA1 23e777d93caa97b0f167f728905df31e6efaac23
SHA256 1cc7239194b15a44c4f7bb2a5edab03b319d3ebba56a84ac59f860acc9e2f35c
SHA512 c25d414af7d5354666f5ce4d88719374af180a265fdfd604a8c3d054df506a0154c98cc8ca4da972a018870df576455afd3804d45ae39ac7fc3c8b1c4e2329e3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\C568.exe.log

MD5 431293de3fad018871bc380403c6f53c
SHA1 935699de6ea2086cec2612f7716d147ced286768
SHA256 1d7ced4ac3efd413157af7c0d8167ab87f1060c576dc86e5518283874df2b55f
SHA512 b33b49ffb96a325da7b6d77b3c95014b2b6ff985fd6553ce80487789a8d8b56e4e24d0f819108c271146ccd188d1a7d68ba630441b065f9ddb47602297fa6c62

memory/4652-1065-0x0000000001960000-0x0000000001970000-memory.dmp

memory/4412-1066-0x0000000000700000-0x000000000076B000-memory.dmp

memory/520-1328-0x00000000010B0000-0x00000000010B9000-memory.dmp

memory/3744-1599-0x00000000008D0000-0x00000000008D9000-memory.dmp

memory/4652-1863-0x0000000001960000-0x0000000001970000-memory.dmp

memory/4652-1864-0x0000000001960000-0x0000000001970000-memory.dmp

memory/4652-1865-0x0000000001960000-0x0000000001970000-memory.dmp

memory/4652-1866-0x0000000001960000-0x0000000001970000-memory.dmp

memory/4652-1867-0x0000000001960000-0x0000000001970000-memory.dmp