Malware Analysis Report

2025-08-11 01:39

Sample ID 230225-bpcjmabf32
Target 5ef276a7d78356769c2f5158b631366d.bin
SHA256 84fd1d86d0445da2c20bcaab578394441d079e8a63fdfe593915c57f46b1adda
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84fd1d86d0445da2c20bcaab578394441d079e8a63fdfe593915c57f46b1adda

Threat Level: Known bad

The file 5ef276a7d78356769c2f5158b631366d.bin was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-25 01:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-25 01:18

Reported

2023-02-25 01:21

Platform

win7-20230220-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1308 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1308 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1308 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1308 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\schtasks.exe
PID 1308 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\schtasks.exe
PID 1308 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\schtasks.exe
PID 1308 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\schtasks.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 1308 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe

"C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TARQmutZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TARQmutZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC360.tmp"

C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe

"C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe"

Network

Country Destination Domain Proto
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp

Files

memory/1308-54-0x0000000000950000-0x0000000000A28000-memory.dmp

memory/1308-55-0x0000000007340000-0x0000000007380000-memory.dmp

memory/1308-56-0x0000000000530000-0x0000000000546000-memory.dmp

memory/1308-57-0x0000000007340000-0x0000000007380000-memory.dmp

memory/1308-58-0x0000000000550000-0x000000000055C000-memory.dmp

memory/1308-59-0x0000000007660000-0x00000000076DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC360.tmp

MD5 b290fabe9a7deb505f9862bb305fdf57
SHA1 b1e43c291d1c7d9361ba2ab9cf9a5da0a94693f0
SHA256 81a9332df9035f792e1495b2eb6810aa705c14ef8d16e9bedb1e84d86500e7be
SHA512 21f20f83c95777d7b4c09a8579863c3f38f8fa27d6c113b7ba17cfa1f1b5e0a194f2bd0337373e89ad0a02e529f6acc64bb3702469c647d1c67bb74e45ac106c

memory/1308-65-0x0000000004920000-0x000000000494E000-memory.dmp

memory/300-66-0x0000000000400000-0x000000000055C000-memory.dmp

memory/300-67-0x0000000000400000-0x000000000055C000-memory.dmp

memory/300-68-0x0000000000400000-0x000000000055C000-memory.dmp

memory/300-69-0x0000000000400000-0x000000000055C000-memory.dmp

memory/300-70-0x0000000000400000-0x000000000055C000-memory.dmp

memory/300-71-0x0000000000400000-0x000000000055C000-memory.dmp

memory/300-72-0x0000000000400000-0x000000000055C000-memory.dmp

memory/300-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/300-74-0x0000000000400000-0x000000000055C000-memory.dmp

memory/300-76-0x0000000000400000-0x000000000055C000-memory.dmp

memory/300-79-0x0000000000400000-0x000000000055C000-memory.dmp

memory/1160-80-0x00000000026A0000-0x00000000026E0000-memory.dmp

memory/1160-81-0x00000000026A0000-0x00000000026E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-25 01:18

Reported

2023-02-25 01:21

Platform

win10v2004-20230221-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3400 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\schtasks.exe
PID 3400 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\schtasks.exe
PID 3400 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Windows\SysWOW64\schtasks.exe
PID 3400 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe
PID 3400 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe

"C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TARQmutZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TARQmutZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F7C.tmp"

C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe

"C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe"

C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe

"C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe"

C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe

"C:\Users\Admin\AppData\Local\Temp\e0502d39c8e63b66265eefe36bae775d0178a4f897958164cf97276ff2b2b745.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 250.108.137.52.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 20.189.173.6:443 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp
NO 194.5.98.187:1990 tcp

Files

memory/3400-133-0x0000000000250000-0x0000000000328000-memory.dmp

memory/3400-134-0x00000000076A0000-0x0000000007C44000-memory.dmp

memory/3400-135-0x00000000071A0000-0x0000000007232000-memory.dmp

memory/3400-136-0x0000000007260000-0x000000000726A000-memory.dmp

memory/3400-137-0x0000000007140000-0x0000000007150000-memory.dmp

memory/3400-138-0x0000000007140000-0x0000000007150000-memory.dmp

memory/3400-139-0x0000000008860000-0x00000000088FC000-memory.dmp

memory/4228-144-0x0000000004690000-0x00000000046C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2F7C.tmp

MD5 88c5ced78a68b503df6a6cd11d9eee3d
SHA1 8c77d74da853429a0723d5410cc5db9b51e3f663
SHA256 b057afadef470fb95e11c62d9d19cf68e07b6029864669e5492b1d49bb56cd92
SHA512 8741be8b60100547e607043fee9ac4710722a30b7d85260f86ed24089ea1043dd1ce90550c3bade8a25b896e6b6724c108f3bc716d2464eec8146cb7bdf8cffd

memory/4228-146-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

memory/4228-147-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

memory/1916-149-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4228-148-0x0000000004D00000-0x0000000005328000-memory.dmp

memory/1916-152-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4228-153-0x0000000004C60000-0x0000000004C82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5jx43o2.0er.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4228-159-0x0000000005430000-0x0000000005496000-memory.dmp

memory/4228-160-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/1916-165-0x0000000000400000-0x000000000055C000-memory.dmp

memory/4228-166-0x0000000005C00000-0x0000000005C1E000-memory.dmp

memory/4228-167-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

memory/4228-168-0x00000000061C0000-0x00000000061F2000-memory.dmp

memory/4228-169-0x0000000071400000-0x000000007144C000-memory.dmp

memory/4228-179-0x00000000061A0000-0x00000000061BE000-memory.dmp

memory/4228-180-0x0000000007550000-0x0000000007BCA000-memory.dmp

memory/4228-181-0x0000000006F00000-0x0000000006F1A000-memory.dmp

memory/4228-182-0x0000000006F70000-0x0000000006F7A000-memory.dmp

memory/4228-183-0x000000007FC70000-0x000000007FC80000-memory.dmp

memory/4228-184-0x0000000007180000-0x0000000007216000-memory.dmp

memory/4228-185-0x0000000007130000-0x000000000713E000-memory.dmp

memory/4228-186-0x0000000007240000-0x000000000725A000-memory.dmp

memory/4228-187-0x0000000007220000-0x0000000007228000-memory.dmp

memory/1916-190-0x0000000000400000-0x000000000055C000-memory.dmp