Analysis Overview
SHA256
808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b
Threat Level: Known bad
The file 808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe was found to be: Known bad.
Malicious Activity Summary
Raccoon
Raccoon family
SmokeLoader
Smokeloader family
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-10 02:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-10 02:33
Reported
2025-03-10 02:35
Platform
win7-20240903-en
Max time kernel
137s
Max time network
152s
Command Line
Signatures
Raccoon
Raccoon family
SmokeLoader
Smokeloader family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2436 set thread context of 1220 | N/A | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe |
| PID 2920 set thread context of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
"C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"
C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
Network
| Country | Destination | Domain | Proto |
| DE | 45.15.156.16:80 | tcp | |
| DE | 45.15.156.16:80 | tcp | |
| NL | 82.115.223.5:80 | tcp | |
| NL | 82.115.223.5:80 | tcp | |
| NL | 82.115.223.6:80 | tcp | |
| NL | 82.115.223.6:80 | tcp | |
| DE | 45.15.156.17:80 | tcp | |
| DE | 45.15.156.17:80 | tcp |
Files
memory/2436-0-0x00000000745BE000-0x00000000745BF000-memory.dmp
memory/2436-1-0x0000000000FC0000-0x000000000110A000-memory.dmp
memory/2436-2-0x0000000000D80000-0x0000000000EC8000-memory.dmp
memory/2436-3-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2436-4-0x0000000000ED0000-0x0000000000F62000-memory.dmp
memory/2788-7-0x00000000029F0000-0x0000000002A30000-memory.dmp
memory/2436-8-0x00000000745BE000-0x00000000745BF000-memory.dmp
memory/2436-9-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2788-10-0x00000000029F0000-0x0000000002A30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 06849a143e17feb522218f16de6d21ec |
| SHA1 | c53962eede35bd892d9736ff8ea0bc0baef85eaa |
| SHA256 | 93290b4ebac8b483b820e2ce91499f23466e1d0f85dd67054dbbd999e06f74cf |
| SHA512 | aa953705ae648c01e7d8b55d2ee7a5f64ac7d69527b7666881c5ddb4bf81e52c68018820dc138f3d15612902424704f1f8bebed26a2ffb05bd7813b3dbb34d5c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XY00CBCFIFHDCR0NPN9Q.temp
| MD5 | 8d64df15740bfbf8f22836d69b922779 |
| SHA1 | 404d5abc38bfb13da3cbbbd9fa3202368699e60b |
| SHA256 | 39768bb66e646ae4aaa46fff171922dfe37a763f63609bccce7cce56a6c1ff9a |
| SHA512 | e759f95af6090b42ef22405022fa52370d9a01b38246f81d1acc08891225bd616731c481e2c09dd9306a09ab525a33677347bfd3ee21168a239d9504fe1ba179 |
\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
| MD5 | 7f1f17f581d25b34013146f290fea01b |
| SHA1 | 27c020394a1396b3e11ab563d62f76c2d5e873ea |
| SHA256 | 2bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375 |
| SHA512 | 8793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935 |
memory/2920-25-0x0000000000CB0000-0x0000000000D80000-memory.dmp
memory/2920-24-0x0000000000E40000-0x0000000000F14000-memory.dmp
memory/2436-39-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/1220-38-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1220-37-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1220-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1220-34-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1220-32-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1220-30-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1220-28-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1220-26-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1672-52-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1672-54-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1672-57-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1672-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-10 02:33
Reported
2025-03-10 02:35
Platform
win10v2004-20250217-en
Max time kernel
107s
Max time network
129s
Command Line
Signatures
Raccoon
Raccoon family
SmokeLoader
Smokeloader family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4912 set thread context of 3412 | N/A | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe |
| PID 4084 set thread context of 3268 | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
"C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"
C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 45.15.156.16:80 | tcp | |
| NL | 82.115.223.5:80 | tcp | |
| NL | 82.115.223.6:80 | tcp | |
| DE | 45.15.156.17:80 | tcp | |
| NL | 82.115.223.7:80 | 82.115.223.7 | tcp |
Files
memory/4912-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp
memory/4912-1-0x0000000000B50000-0x0000000000C9A000-memory.dmp
memory/4912-2-0x0000000005580000-0x00000000056C8000-memory.dmp
memory/4912-3-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/4912-4-0x0000000005820000-0x00000000058B2000-memory.dmp
memory/4912-5-0x0000000005910000-0x0000000005932000-memory.dmp
memory/4912-6-0x0000000005B30000-0x0000000005E84000-memory.dmp
memory/2524-7-0x0000000004DD0000-0x0000000004E06000-memory.dmp
memory/2524-8-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2524-9-0x0000000005440000-0x0000000005A68000-memory.dmp
memory/2524-10-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2524-11-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2524-12-0x00000000053C0000-0x0000000005426000-memory.dmp
memory/2524-18-0x0000000005A70000-0x0000000005AD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfvkanx2.4m1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2524-23-0x00000000062D0000-0x00000000062EE000-memory.dmp
memory/2524-24-0x0000000006300000-0x000000000634C000-memory.dmp
memory/2524-25-0x0000000007B10000-0x000000000818A000-memory.dmp
memory/2524-26-0x0000000006800000-0x000000000681A000-memory.dmp
memory/4912-27-0x0000000074CDE000-0x0000000074CDF000-memory.dmp
memory/4912-28-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2524-29-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2524-33-0x0000000074CD0000-0x0000000075480000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6195a91754effb4df74dbc72cdf4f7a6 |
| SHA1 | aba262f5726c6d77659fe0d3195e36a85046b427 |
| SHA256 | 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5 |
| SHA512 | ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89 |
memory/2240-35-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2240-36-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2240-37-0x0000000074CD0000-0x0000000075480000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e09ddbe372b0540e5c4229a323130dc7 |
| SHA1 | d0421702599010b0bed0b06be1638fd1b99914aa |
| SHA256 | d6deffa2c36b4d1c81689c3795d932ed5e7822552b4ee2c2d68bc86291ff72f9 |
| SHA512 | 3a06bf1f24085de2a62403da258c8e791efbbf2e142b251a751003e471905699b42a0ac07b39908b79bf61d6b460f079d51310698abaec62379a8e7f6ecb3eae |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/2240-49-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/2240-50-0x0000000007160000-0x0000000007192000-memory.dmp
memory/2240-51-0x000000006FFA0000-0x000000006FFEC000-memory.dmp
memory/2240-61-0x0000000006560000-0x000000000657E000-memory.dmp
memory/2240-62-0x00000000071D0000-0x0000000007273000-memory.dmp
memory/2240-63-0x00000000072B0000-0x00000000072BA000-memory.dmp
memory/2240-64-0x00000000074D0000-0x0000000007566000-memory.dmp
memory/2240-65-0x0000000007420000-0x0000000007431000-memory.dmp
memory/2240-66-0x0000000007460000-0x000000000746E000-memory.dmp
memory/2240-67-0x0000000007470000-0x0000000007484000-memory.dmp
memory/2240-68-0x0000000007570000-0x000000000758A000-memory.dmp
memory/2240-69-0x00000000074A0000-0x00000000074A8000-memory.dmp
memory/2240-71-0x0000000074CD0000-0x0000000075480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
| MD5 | 7f1f17f581d25b34013146f290fea01b |
| SHA1 | 27c020394a1396b3e11ab563d62f76c2d5e873ea |
| SHA256 | 2bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375 |
| SHA512 | 8793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935 |
memory/4084-86-0x00000000003F0000-0x00000000004C4000-memory.dmp
memory/3412-85-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4912-88-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/4084-87-0x0000000004C90000-0x0000000004D60000-memory.dmp
memory/3412-83-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4084-89-0x0000000005220000-0x0000000005574000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c22cd9d8b0d6d73a60164a51cffef836 |
| SHA1 | 6af41cab062beca3647c0ce6cd1ed515d5e51416 |
| SHA256 | 2d45591f0341bae55c527b1b36aa1449d6c2659992f77e9ccbd7fbca97121a34 |
| SHA512 | 3de9666703b0f2999f5a37ef57ae0e0873dcf5cb00f979b569146f64ea18bf3ae82c4285a6016c5e05ac45ce4dc0494ec0bd526fe12120ef907ac2f8b85a49ec |
memory/4404-100-0x0000000005B20000-0x0000000005B6C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 706bd321ae18c1f9740e400aef898e5d |
| SHA1 | 1136aa5bab826882e1d232cdc3515d0f839ecc75 |
| SHA256 | 43c208e2d4b3e5c9ec96dea17eba75b06d595b78a0296b34484c3f5e7a00d597 |
| SHA512 | 997de95e19836c73173a1864fc01e261a98bca7a5e4fb314eff6cdc269552350307cd8f818b574226e8e317ab54d9e233baa66f78c57b7ae7ec21e97d3d2bf5f |
memory/2920-112-0x0000000070410000-0x000000007045C000-memory.dmp
memory/2920-122-0x0000000007700000-0x00000000077A3000-memory.dmp
memory/2920-123-0x0000000007980000-0x0000000007991000-memory.dmp
memory/2920-124-0x00000000079E0000-0x00000000079F4000-memory.dmp
memory/3268-126-0x0000000000400000-0x0000000000409000-memory.dmp