Analysis Overview
SHA256
808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b
Threat Level: Known bad
The file c127879c5fa90526ba316c4bffd85427.exe was found to be: Known bad.
Malicious Activity Summary
Raccoon
SmokeLoader
Smokeloader family
Raccoon family
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-09 01:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-09 01:50
Reported
2025-03-09 01:52
Platform
win7-20250207-en
Max time kernel
140s
Max time network
140s
Command Line
Signatures
Raccoon
Raccoon family
SmokeLoader
Smokeloader family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2424 set thread context of 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe |
| PID 824 set thread context of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"
C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
Network
| Country | Destination | Domain | Proto |
| DE | 45.15.156.16:80 | tcp | |
| DE | 45.15.156.16:80 | tcp | |
| NL | 82.115.223.5:80 | tcp | |
| NL | 82.115.223.5:80 | tcp | |
| NL | 82.115.223.6:80 | tcp | |
| NL | 82.115.223.6:80 | tcp | |
| DE | 45.15.156.17:80 | tcp | |
| DE | 45.15.156.17:80 | tcp | |
| NL | 82.115.223.7:80 | 82.115.223.7 | tcp |
Files
memory/2424-0-0x000000007463E000-0x000000007463F000-memory.dmp
memory/2424-1-0x0000000000C20000-0x0000000000D6A000-memory.dmp
memory/2424-2-0x0000000004890000-0x00000000049D8000-memory.dmp
memory/2424-3-0x0000000074630000-0x0000000074D1E000-memory.dmp
memory/2424-4-0x0000000000AD0000-0x0000000000B62000-memory.dmp
memory/768-7-0x0000000001DB0000-0x0000000001DF0000-memory.dmp
memory/2424-8-0x000000007463E000-0x000000007463F000-memory.dmp
memory/2424-9-0x0000000074630000-0x0000000074D1E000-memory.dmp
memory/768-10-0x0000000001DB0000-0x0000000001DF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 64ccab9d534276eb7c514bad3caae6d3 |
| SHA1 | 43d3a3ec285e4cfab9dced997d24d069a2f2d1d5 |
| SHA256 | c6f61c92b55932351f95342c056a8d9d935c70ec19249439b4c557edd3b1cffb |
| SHA512 | 31524274c8a539b86b7ed8be86958c637ef00430e07381c98e9f6d519507125aecd79c9ebbc050cd6eb6207c8ed11a6ab4849e8a549380fe36e8c059ad82617a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y8F65RTP3AO4555EEDM1.temp
| MD5 | 5538c20e5aad35287f978d09dc59f66a |
| SHA1 | 3b9af5a6c5cdb2787419e05c77ddb8167860564f |
| SHA256 | 86cffba1d5fad48b816428ff39273fa43bdfbcf313edf474b43eac5ee42342b1 |
| SHA512 | 9a95f54075e8ef5844a9d66dde338734e5a6d5d63295d08ce007318bdbedec4b37ccadc5e321588d1cab09c6c0eb8177202a1da0a922c0dfb9c128c23d9fe4b7 |
\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
| MD5 | 7f1f17f581d25b34013146f290fea01b |
| SHA1 | 27c020394a1396b3e11ab563d62f76c2d5e873ea |
| SHA256 | 2bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375 |
| SHA512 | 8793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935 |
memory/824-24-0x00000000000B0000-0x0000000000184000-memory.dmp
memory/824-25-0x0000000001F60000-0x0000000002030000-memory.dmp
memory/1392-37-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1392-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1392-34-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1392-32-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1392-30-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1392-28-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1392-26-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1392-38-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2424-39-0x0000000074630000-0x0000000074D1E000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/836-60-0x0000000000400000-0x0000000000409000-memory.dmp
memory/836-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/836-57-0x0000000000400000-0x0000000000409000-memory.dmp
memory/836-55-0x0000000000400000-0x0000000000409000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-09 01:50
Reported
2025-03-09 01:52
Platform
win10v2004-20250217-en
Max time kernel
99s
Max time network
151s
Command Line
Signatures
Raccoon
Raccoon family
SmokeLoader
Smokeloader family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4180 set thread context of 1292 | N/A | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe |
| PID 3196 set thread context of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"
C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 104.86.110.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 45.15.156.16:80 | tcp | |
| NL | 82.115.223.5:80 | tcp | |
| NL | 82.115.223.6:80 | tcp | |
| DE | 45.15.156.17:80 | tcp | |
| NL | 82.115.223.7:80 | 82.115.223.7 | tcp |
Files
memory/4180-0-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/4180-1-0x00000000002A0000-0x00000000003EA000-memory.dmp
memory/4180-2-0x0000000004D20000-0x0000000004E68000-memory.dmp
memory/4180-3-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/4180-4-0x0000000004FB0000-0x0000000005042000-memory.dmp
memory/4180-5-0x0000000005040000-0x0000000005062000-memory.dmp
memory/4180-6-0x0000000005280000-0x00000000055D4000-memory.dmp
memory/3976-7-0x0000000002EC0000-0x0000000002EF6000-memory.dmp
memory/3976-8-0x0000000005640000-0x0000000005C68000-memory.dmp
memory/3976-9-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/3976-10-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/3976-11-0x0000000005E50000-0x0000000005EB6000-memory.dmp
memory/3976-19-0x00000000748D0000-0x0000000075080000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwat3cvd.0ax.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3976-12-0x0000000005EC0000-0x0000000005F26000-memory.dmp
memory/3976-23-0x0000000006520000-0x000000000653E000-memory.dmp
memory/3976-24-0x0000000006550000-0x000000000659C000-memory.dmp
memory/3976-25-0x0000000007CF0000-0x000000000836A000-memory.dmp
memory/3976-26-0x0000000006A00000-0x0000000006A1A000-memory.dmp
memory/4180-27-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/4180-28-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/3976-29-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/3976-33-0x00000000748D0000-0x0000000075080000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/4936-35-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/4936-36-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/4936-37-0x00000000748D0000-0x0000000075080000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d09e5e89285abd538b1acee06841118f |
| SHA1 | 56cf105c0e0a9e0d53e35c297a2aca4aa29a2e47 |
| SHA256 | a90fe29fbe7d82349269478a81d5e31d18ce1b88064cdd9b7adc1309b8cafd01 |
| SHA512 | 2b3e3f25c3123fa6a04289c58734823e10fbd028ec1efc37c70f184a61c06f55ae2c165a425b0af3606f4b8a99f9e4712a815857853ae61ed9c99c0c21452440 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/4936-49-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/4936-50-0x0000000007470000-0x00000000074A2000-memory.dmp
memory/4936-51-0x000000006FBA0000-0x000000006FBEC000-memory.dmp
memory/4936-61-0x00000000073F0000-0x000000000740E000-memory.dmp
memory/4936-62-0x0000000007700000-0x00000000077A3000-memory.dmp
memory/4936-63-0x00000000077B0000-0x00000000077BA000-memory.dmp
memory/4936-64-0x00000000079B0000-0x0000000007A46000-memory.dmp
memory/4936-65-0x0000000007910000-0x0000000007921000-memory.dmp
memory/4936-66-0x0000000007940000-0x000000000794E000-memory.dmp
memory/4936-67-0x0000000007960000-0x0000000007974000-memory.dmp
memory/4936-68-0x0000000007A70000-0x0000000007A8A000-memory.dmp
memory/4936-69-0x0000000007A50000-0x0000000007A58000-memory.dmp
memory/4936-71-0x00000000748D0000-0x0000000075080000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
| MD5 | 7f1f17f581d25b34013146f290fea01b |
| SHA1 | 27c020394a1396b3e11ab563d62f76c2d5e873ea |
| SHA256 | 2bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375 |
| SHA512 | 8793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935 |
memory/3196-86-0x0000000000270000-0x0000000000344000-memory.dmp
memory/1292-85-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1292-83-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3196-87-0x0000000004B00000-0x0000000004BD0000-memory.dmp
memory/4180-88-0x00000000748D0000-0x0000000075080000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0dda0d409c57cf5ac1aa1054b853f539 |
| SHA1 | b8e868f12a1e1515973af295bdbe9ff5123ed115 |
| SHA256 | 5818956c7966e83a6a9bb84ce764c8acbb9352c4b8b278d86d08c6af622c579b |
| SHA512 | 057d445926609b2e30739fe511593e44d18015fa7a1076a6001fb67a53c1e033a63417d73253a9ea6df2be7988d753f4577896a28634d7dabcbcd49b0c121b35 |
memory/1244-99-0x0000000006910000-0x000000000695C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 28089a6c3567fbe008331f655f5a8feb |
| SHA1 | af84603ec049ef66f399ab8d2af272a80132a9c0 |
| SHA256 | b2c090cf56d30e64f6fa77304342da3950329d8dea08b9c16aecd0ceb7d01a01 |
| SHA512 | 7df759257b7c1db078f26b9eb360b1590b4924749ea6964f16624679424096a2ab11649b4b805175bc01c8dc0eed7bc1fd0f034dd45681bfe0a73670e62be928 |
memory/4084-111-0x0000000070010000-0x000000007005C000-memory.dmp
memory/4084-121-0x0000000007480000-0x0000000007523000-memory.dmp
memory/4084-122-0x0000000007710000-0x0000000007721000-memory.dmp
memory/4084-123-0x0000000007770000-0x0000000007784000-memory.dmp
memory/3036-125-0x0000000000400000-0x0000000000409000-memory.dmp