Malware Analysis Report

2025-04-14 08:05

Sample ID 250309-b9a7aswnz4
Target c127879c5fa90526ba316c4bffd85427.exe
SHA256 808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b
Tags
raccoon smokeloader eee94d533c0441c732ed7e18e494bdc6 x0x4 backdoor discovery stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b

Threat Level: Known bad

The file c127879c5fa90526ba316c4bffd85427.exe was found to be: Known bad.

Malicious Activity Summary

raccoon smokeloader eee94d533c0441c732ed7e18e494bdc6 x0x4 backdoor discovery stealer trojan

Raccoon

SmokeLoader

Smokeloader family

Raccoon family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-09 01:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-09 01:50

Reported

2025-03-09 01:52

Platform

win7-20250207-en

Max time kernel

140s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"

Signatures

Raccoon

stealer raccoon

Raccoon family

raccoon

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2424 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2424 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2424 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 824 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 824 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 824 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 824 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 824 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 824 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 824 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 824 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 824 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 824 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 824 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Network

Country Destination Domain Proto
DE 45.15.156.16:80 tcp
DE 45.15.156.16:80 tcp
NL 82.115.223.5:80 tcp
NL 82.115.223.5:80 tcp
NL 82.115.223.6:80 tcp
NL 82.115.223.6:80 tcp
DE 45.15.156.17:80 tcp
DE 45.15.156.17:80 tcp
NL 82.115.223.7:80 82.115.223.7 tcp

Files

memory/2424-0-0x000000007463E000-0x000000007463F000-memory.dmp

memory/2424-1-0x0000000000C20000-0x0000000000D6A000-memory.dmp

memory/2424-2-0x0000000004890000-0x00000000049D8000-memory.dmp

memory/2424-3-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/2424-4-0x0000000000AD0000-0x0000000000B62000-memory.dmp

memory/768-7-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

memory/2424-8-0x000000007463E000-0x000000007463F000-memory.dmp

memory/2424-9-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/768-10-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 64ccab9d534276eb7c514bad3caae6d3
SHA1 43d3a3ec285e4cfab9dced997d24d069a2f2d1d5
SHA256 c6f61c92b55932351f95342c056a8d9d935c70ec19249439b4c557edd3b1cffb
SHA512 31524274c8a539b86b7ed8be86958c637ef00430e07381c98e9f6d519507125aecd79c9ebbc050cd6eb6207c8ed11a6ab4849e8a549380fe36e8c059ad82617a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y8F65RTP3AO4555EEDM1.temp

MD5 5538c20e5aad35287f978d09dc59f66a
SHA1 3b9af5a6c5cdb2787419e05c77ddb8167860564f
SHA256 86cffba1d5fad48b816428ff39273fa43bdfbcf313edf474b43eac5ee42342b1
SHA512 9a95f54075e8ef5844a9d66dde338734e5a6d5d63295d08ce007318bdbedec4b37ccadc5e321588d1cab09c6c0eb8177202a1da0a922c0dfb9c128c23d9fe4b7

\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

MD5 7f1f17f581d25b34013146f290fea01b
SHA1 27c020394a1396b3e11ab563d62f76c2d5e873ea
SHA256 2bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375
SHA512 8793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935

memory/824-24-0x00000000000B0000-0x0000000000184000-memory.dmp

memory/824-25-0x0000000001F60000-0x0000000002030000-memory.dmp

memory/1392-37-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1392-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1392-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1392-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1392-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1392-28-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1392-26-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1392-38-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2424-39-0x0000000074630000-0x0000000074D1E000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/836-60-0x0000000000400000-0x0000000000409000-memory.dmp

memory/836-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/836-57-0x0000000000400000-0x0000000000409000-memory.dmp

memory/836-55-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-09 01:50

Reported

2025-03-09 01:52

Platform

win10v2004-20250217-en

Max time kernel

99s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"

Signatures

Raccoon

stealer raccoon

Raccoon family

raccoon

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4180 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4180 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 4180 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
PID 3196 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 3196 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 3196 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 3196 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 3196 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 3196 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 104.86.110.129:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 45.15.156.16:80 tcp
NL 82.115.223.5:80 tcp
NL 82.115.223.6:80 tcp
DE 45.15.156.17:80 tcp
NL 82.115.223.7:80 82.115.223.7 tcp

Files

memory/4180-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/4180-1-0x00000000002A0000-0x00000000003EA000-memory.dmp

memory/4180-2-0x0000000004D20000-0x0000000004E68000-memory.dmp

memory/4180-3-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/4180-4-0x0000000004FB0000-0x0000000005042000-memory.dmp

memory/4180-5-0x0000000005040000-0x0000000005062000-memory.dmp

memory/4180-6-0x0000000005280000-0x00000000055D4000-memory.dmp

memory/3976-7-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

memory/3976-8-0x0000000005640000-0x0000000005C68000-memory.dmp

memory/3976-9-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/3976-10-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/3976-11-0x0000000005E50000-0x0000000005EB6000-memory.dmp

memory/3976-19-0x00000000748D0000-0x0000000075080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwat3cvd.0ax.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3976-12-0x0000000005EC0000-0x0000000005F26000-memory.dmp

memory/3976-23-0x0000000006520000-0x000000000653E000-memory.dmp

memory/3976-24-0x0000000006550000-0x000000000659C000-memory.dmp

memory/3976-25-0x0000000007CF0000-0x000000000836A000-memory.dmp

memory/3976-26-0x0000000006A00000-0x0000000006A1A000-memory.dmp

memory/4180-27-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/4180-28-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/3976-29-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/3976-33-0x00000000748D0000-0x0000000075080000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/4936-35-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/4936-36-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/4936-37-0x00000000748D0000-0x0000000075080000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d09e5e89285abd538b1acee06841118f
SHA1 56cf105c0e0a9e0d53e35c297a2aca4aa29a2e47
SHA256 a90fe29fbe7d82349269478a81d5e31d18ce1b88064cdd9b7adc1309b8cafd01
SHA512 2b3e3f25c3123fa6a04289c58734823e10fbd028ec1efc37c70f184a61c06f55ae2c165a425b0af3606f4b8a99f9e4712a815857853ae61ed9c99c0c21452440

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/4936-49-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/4936-50-0x0000000007470000-0x00000000074A2000-memory.dmp

memory/4936-51-0x000000006FBA0000-0x000000006FBEC000-memory.dmp

memory/4936-61-0x00000000073F0000-0x000000000740E000-memory.dmp

memory/4936-62-0x0000000007700000-0x00000000077A3000-memory.dmp

memory/4936-63-0x00000000077B0000-0x00000000077BA000-memory.dmp

memory/4936-64-0x00000000079B0000-0x0000000007A46000-memory.dmp

memory/4936-65-0x0000000007910000-0x0000000007921000-memory.dmp

memory/4936-66-0x0000000007940000-0x000000000794E000-memory.dmp

memory/4936-67-0x0000000007960000-0x0000000007974000-memory.dmp

memory/4936-68-0x0000000007A70000-0x0000000007A8A000-memory.dmp

memory/4936-69-0x0000000007A50000-0x0000000007A58000-memory.dmp

memory/4936-71-0x00000000748D0000-0x0000000075080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

MD5 7f1f17f581d25b34013146f290fea01b
SHA1 27c020394a1396b3e11ab563d62f76c2d5e873ea
SHA256 2bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375
SHA512 8793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935

memory/3196-86-0x0000000000270000-0x0000000000344000-memory.dmp

memory/1292-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1292-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3196-87-0x0000000004B00000-0x0000000004BD0000-memory.dmp

memory/4180-88-0x00000000748D0000-0x0000000075080000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0dda0d409c57cf5ac1aa1054b853f539
SHA1 b8e868f12a1e1515973af295bdbe9ff5123ed115
SHA256 5818956c7966e83a6a9bb84ce764c8acbb9352c4b8b278d86d08c6af622c579b
SHA512 057d445926609b2e30739fe511593e44d18015fa7a1076a6001fb67a53c1e033a63417d73253a9ea6df2be7988d753f4577896a28634d7dabcbcd49b0c121b35

memory/1244-99-0x0000000006910000-0x000000000695C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28089a6c3567fbe008331f655f5a8feb
SHA1 af84603ec049ef66f399ab8d2af272a80132a9c0
SHA256 b2c090cf56d30e64f6fa77304342da3950329d8dea08b9c16aecd0ceb7d01a01
SHA512 7df759257b7c1db078f26b9eb360b1590b4924749ea6964f16624679424096a2ab11649b4b805175bc01c8dc0eed7bc1fd0f034dd45681bfe0a73670e62be928

memory/4084-111-0x0000000070010000-0x000000007005C000-memory.dmp

memory/4084-121-0x0000000007480000-0x0000000007523000-memory.dmp

memory/4084-122-0x0000000007710000-0x0000000007721000-memory.dmp

memory/4084-123-0x0000000007770000-0x0000000007784000-memory.dmp

memory/3036-125-0x0000000000400000-0x0000000000409000-memory.dmp