Malware Analysis Report

2025-04-14 08:14

Sample ID 250310-c1wbjsztcv
Target 808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
SHA256 808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b
Tags
raccoon smokeloader eee94d533c0441c732ed7e18e494bdc6 x0x4 backdoor discovery stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b

Threat Level: Known bad

The file 808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe was found to be: Known bad.

Malicious Activity Summary

raccoon smokeloader eee94d533c0441c732ed7e18e494bdc6 x0x4 backdoor discovery stealer trojan

Raccoon

Raccoon family

SmokeLoader

Smokeloader family

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-10 02:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-10 02:33

Reported

2025-03-10 02:35

Platform

win7-20240903-en

Max time kernel

137s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe"

Signatures

Raccoon

stealer raccoon

Raccoon family

raccoon

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2436 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2436 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2436 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 2436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 2436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 2436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 2436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 2436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 2436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 2436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 2436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 2436 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 2920 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2920 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2920 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2920 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2920 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2920 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 2920 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe

"C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"

C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe

C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Network

Country Destination Domain Proto
DE 45.15.156.16:80 tcp
DE 45.15.156.16:80 tcp
NL 82.115.223.5:80 tcp
NL 82.115.223.5:80 tcp
NL 82.115.223.6:80 tcp
NL 82.115.223.6:80 tcp
DE 45.15.156.17:80 tcp
DE 45.15.156.17:80 tcp

Files

memory/2436-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/2436-1-0x0000000000FC0000-0x000000000110A000-memory.dmp

memory/2436-2-0x0000000000D80000-0x0000000000EC8000-memory.dmp

memory/2436-3-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2436-4-0x0000000000ED0000-0x0000000000F62000-memory.dmp

memory/2788-7-0x00000000029F0000-0x0000000002A30000-memory.dmp

memory/2436-8-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/2436-9-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2788-10-0x00000000029F0000-0x0000000002A30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 06849a143e17feb522218f16de6d21ec
SHA1 c53962eede35bd892d9736ff8ea0bc0baef85eaa
SHA256 93290b4ebac8b483b820e2ce91499f23466e1d0f85dd67054dbbd999e06f74cf
SHA512 aa953705ae648c01e7d8b55d2ee7a5f64ac7d69527b7666881c5ddb4bf81e52c68018820dc138f3d15612902424704f1f8bebed26a2ffb05bd7813b3dbb34d5c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XY00CBCFIFHDCR0NPN9Q.temp

MD5 8d64df15740bfbf8f22836d69b922779
SHA1 404d5abc38bfb13da3cbbbd9fa3202368699e60b
SHA256 39768bb66e646ae4aaa46fff171922dfe37a763f63609bccce7cce56a6c1ff9a
SHA512 e759f95af6090b42ef22405022fa52370d9a01b38246f81d1acc08891225bd616731c481e2c09dd9306a09ab525a33677347bfd3ee21168a239d9504fe1ba179

\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

MD5 7f1f17f581d25b34013146f290fea01b
SHA1 27c020394a1396b3e11ab563d62f76c2d5e873ea
SHA256 2bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375
SHA512 8793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935

memory/2920-25-0x0000000000CB0000-0x0000000000D80000-memory.dmp

memory/2920-24-0x0000000000E40000-0x0000000000F14000-memory.dmp

memory/2436-39-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/1220-38-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1220-37-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1220-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1220-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1220-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1220-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1220-28-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1220-26-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1672-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1672-54-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1672-57-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1672-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-10 02:33

Reported

2025-03-10 02:35

Platform

win10v2004-20250217-en

Max time kernel

107s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe"

Signatures

Raccoon

stealer raccoon

Raccoon family

raccoon

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4912 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4912 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4912 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4912 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 4912 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 4912 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 4912 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 4912 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 4912 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 4912 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 4912 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 4912 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe
PID 4084 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4084 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4084 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4084 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4084 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe
PID 4084 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe

"C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"

C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe

C:\Users\Admin\AppData\Local\Temp\808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 45.15.156.16:80 tcp
NL 82.115.223.5:80 tcp
NL 82.115.223.6:80 tcp
DE 45.15.156.17:80 tcp
NL 82.115.223.7:80 82.115.223.7 tcp

Files

memory/4912-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

memory/4912-1-0x0000000000B50000-0x0000000000C9A000-memory.dmp

memory/4912-2-0x0000000005580000-0x00000000056C8000-memory.dmp

memory/4912-3-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/4912-4-0x0000000005820000-0x00000000058B2000-memory.dmp

memory/4912-5-0x0000000005910000-0x0000000005932000-memory.dmp

memory/4912-6-0x0000000005B30000-0x0000000005E84000-memory.dmp

memory/2524-7-0x0000000004DD0000-0x0000000004E06000-memory.dmp

memory/2524-8-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/2524-9-0x0000000005440000-0x0000000005A68000-memory.dmp

memory/2524-10-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/2524-11-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/2524-12-0x00000000053C0000-0x0000000005426000-memory.dmp

memory/2524-18-0x0000000005A70000-0x0000000005AD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfvkanx2.4m1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2524-23-0x00000000062D0000-0x00000000062EE000-memory.dmp

memory/2524-24-0x0000000006300000-0x000000000634C000-memory.dmp

memory/2524-25-0x0000000007B10000-0x000000000818A000-memory.dmp

memory/2524-26-0x0000000006800000-0x000000000681A000-memory.dmp

memory/4912-27-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

memory/4912-28-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/2524-29-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/2524-33-0x0000000074CD0000-0x0000000075480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

memory/2240-35-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/2240-36-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/2240-37-0x0000000074CD0000-0x0000000075480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e09ddbe372b0540e5c4229a323130dc7
SHA1 d0421702599010b0bed0b06be1638fd1b99914aa
SHA256 d6deffa2c36b4d1c81689c3795d932ed5e7822552b4ee2c2d68bc86291ff72f9
SHA512 3a06bf1f24085de2a62403da258c8e791efbbf2e142b251a751003e471905699b42a0ac07b39908b79bf61d6b460f079d51310698abaec62379a8e7f6ecb3eae

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/2240-49-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/2240-50-0x0000000007160000-0x0000000007192000-memory.dmp

memory/2240-51-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

memory/2240-61-0x0000000006560000-0x000000000657E000-memory.dmp

memory/2240-62-0x00000000071D0000-0x0000000007273000-memory.dmp

memory/2240-63-0x00000000072B0000-0x00000000072BA000-memory.dmp

memory/2240-64-0x00000000074D0000-0x0000000007566000-memory.dmp

memory/2240-65-0x0000000007420000-0x0000000007431000-memory.dmp

memory/2240-66-0x0000000007460000-0x000000000746E000-memory.dmp

memory/2240-67-0x0000000007470000-0x0000000007484000-memory.dmp

memory/2240-68-0x0000000007570000-0x000000000758A000-memory.dmp

memory/2240-69-0x00000000074A0000-0x00000000074A8000-memory.dmp

memory/2240-71-0x0000000074CD0000-0x0000000075480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe

MD5 7f1f17f581d25b34013146f290fea01b
SHA1 27c020394a1396b3e11ab563d62f76c2d5e873ea
SHA256 2bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375
SHA512 8793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935

memory/4084-86-0x00000000003F0000-0x00000000004C4000-memory.dmp

memory/3412-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4912-88-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/4084-87-0x0000000004C90000-0x0000000004D60000-memory.dmp

memory/3412-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4084-89-0x0000000005220000-0x0000000005574000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c22cd9d8b0d6d73a60164a51cffef836
SHA1 6af41cab062beca3647c0ce6cd1ed515d5e51416
SHA256 2d45591f0341bae55c527b1b36aa1449d6c2659992f77e9ccbd7fbca97121a34
SHA512 3de9666703b0f2999f5a37ef57ae0e0873dcf5cb00f979b569146f64ea18bf3ae82c4285a6016c5e05ac45ce4dc0494ec0bd526fe12120ef907ac2f8b85a49ec

memory/4404-100-0x0000000005B20000-0x0000000005B6C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 706bd321ae18c1f9740e400aef898e5d
SHA1 1136aa5bab826882e1d232cdc3515d0f839ecc75
SHA256 43c208e2d4b3e5c9ec96dea17eba75b06d595b78a0296b34484c3f5e7a00d597
SHA512 997de95e19836c73173a1864fc01e261a98bca7a5e4fb314eff6cdc269552350307cd8f818b574226e8e317ab54d9e233baa66f78c57b7ae7ec21e97d3d2bf5f

memory/2920-112-0x0000000070410000-0x000000007045C000-memory.dmp

memory/2920-122-0x0000000007700000-0x00000000077A3000-memory.dmp

memory/2920-123-0x0000000007980000-0x0000000007991000-memory.dmp

memory/2920-124-0x00000000079E0000-0x00000000079F4000-memory.dmp

memory/3268-126-0x0000000000400000-0x0000000000409000-memory.dmp