Malware Analysis Report

2025-03-15 06:30

Sample ID 240129-d6b1jahag9
Target P.O 4700009314.exe
SHA256 decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70
Tags
warzonerat collection infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

decfb2acfa48419eb5c32541e8b99aa142ed856a2969012374c2a30f8bd7db70

Threat Level: Known bad

The file P.O 4700009314.exe was found to be: Known bad.

Malicious Activity Summary

warzonerat collection infostealer rat spyware stealer

WarzoneRat, AveMaria

Warzone RAT payload

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-29 03:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 03:36

Reported

2024-01-29 03:39

Platform

win7-20231215-en

Max time kernel

118s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2264 set thread context of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 2264 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe

"C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OhkUvqoiVsLniO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OhkUvqoiVsLniO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp"

C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe

"C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe"

Network

Country Destination Domain Proto
IN 43.230.202.77:4568 tcp

Files

memory/2264-0-0x00000000109B0000-0x0000000010A46000-memory.dmp

memory/2264-1-0x00000000742A0000-0x000000007498E000-memory.dmp

memory/2264-2-0x0000000004920000-0x0000000004960000-memory.dmp

memory/2264-3-0x0000000000370000-0x000000000038C000-memory.dmp

memory/2264-4-0x00000000003F0000-0x0000000000404000-memory.dmp

memory/2264-5-0x0000000004430000-0x0000000004494000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp

MD5 17ab53909b7def6962f8f197228c9d79
SHA1 9077eeb807b6d4610031f538861f94a82613443b
SHA256 6b4ec947d6f1ed36bf5c69534ae8b2e45e3c609c6b4f9e66b4259cdb02abde85
SHA512 1166a84d18e46bf5800ef6a8bd850174bd0ad41fefc581ea8eb2eb089a90d5910fdbe45f873e64784a5d70936799d3bd744b7a7de6172373f28450474ddb1bfc

memory/2564-11-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2564-13-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2564-20-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2564-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2564-24-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2264-26-0x00000000742A0000-0x000000007498E000-memory.dmp

memory/2564-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2564-19-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2564-17-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2564-15-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2564-29-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2564-30-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2648-31-0x000000006E6C0000-0x000000006EC6B000-memory.dmp

memory/2648-32-0x0000000002830000-0x0000000002870000-memory.dmp

memory/2648-35-0x0000000002830000-0x0000000002870000-memory.dmp

memory/2648-34-0x0000000002830000-0x0000000002870000-memory.dmp

memory/2648-33-0x000000006E6C0000-0x000000006EC6B000-memory.dmp

memory/2648-36-0x000000006E6C0000-0x000000006EC6B000-memory.dmp

memory/2564-37-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2564-43-0x0000000003570000-0x00000000035F4000-memory.dmp

\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 b54916fbf157da6378b249949776c273
SHA1 6aa1769269be52470a37457fd7bd5b8e06e72350
SHA256 2aa4626693d13cf5ab51aa088136c129ba8d5876e91152abe2d2eebf256f94dd
SHA512 152cd8d9f638d82b4f6a9f43f38367320547b8d141bc01ac618ba1229baf95708a0d76f1f727d628ba8248aa3b06f4f424eea9a78760c7e812fb7ed829faf7cd

\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 03df71609b56992dfa3da49a30a3f1b2
SHA1 b81197330431df1c930bf93d81da210a27590692
SHA256 80be87bad1f85e3fe17cd5685ce3b9f15da3739eee07492fbfe77da03b4f5967
SHA512 68e72518ca20a72d7c5e29d40996f7ae89496c45620c6b3ef4109ffa18273bfd3a3e436dadea2c9fcea2ebb54e06fa1490e201c60ee148c7802740aee746066d

\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 a10361a76b085a943dfca379ad48b9d7
SHA1 41b766341cb4265f458458229b3618aab7afa3a8
SHA256 9eec69a0b7cb814534736a479da58ac4e82289cacc80ef9e1d5ef73b77c2a861
SHA512 01c0a49e832d1330d544d031532ac5e7c7d549aedd527a9a7c685f6460565d2f30840d2047876835805ca37956c0ae1314a9c3d25663c6f1c71639fdcff5bb42

\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 b4cb93a54fa01e2b947d4218c60d25d1
SHA1 9b848a6b795030f50b21af7a5eb2cee28a08328e
SHA256 aa69ebd928ab11b22c90512fbd6f86b4d8387bc749af5aaeb3a117bf0412bf31
SHA512 659a91da3fe2cef6cf0538119c6016b6f6c6ff24b3f2013324c4ba19d50cf1c010c16f6266aff03cc0fe61df5eb53c0997cfa817e43f9d48b8669d9873a01509

\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 ceeb5da32deb7cf31f1bb69f92dccce7
SHA1 03c1df075408404ca88254d6ecaa3cf43fa6b8af
SHA256 e0b4f9a5bda34eade770493cdf39ea74996c51ae30aeeea1a2839294136ce4bd
SHA512 20ea53d7a386b147bcdffa3bcb827e11c1f4e2221a74ecc9cae5ec469765d045ca69624f00898ee4b53b57763cde87bb9be983e9fd96c4222daae9be44c336ea

\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 10f0b519d5f243b159135c69e8da377d
SHA1 6531b584b414a18af6c3b3b53810dc8c61faa2c0
SHA256 2434ddc11751c8af8d2ac9600e6fbb48a42e75c683e559024b34009e42d29adf
SHA512 c817e195dc7d0897f59e67ef08bb5eb15a577312b4f14e7ab8b6622bfd07a51171a6053beaffd19ebdc77d40676eec48e163d652c9168b8ed27aaed695c71cc4

memory/2564-62-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 03:36

Reported

2024-01-29 03:39

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3016 set thread context of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe
PID 3016 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe

"C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OhkUvqoiVsLniO.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OhkUvqoiVsLniO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC2C.tmp"

C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe

"C:\Users\Admin\AppData\Local\Temp\P.O 4700009314.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
IN 43.230.202.77:4568 tcp
US 8.8.8.8:53 77.202.230.43.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/3016-0-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/3016-1-0x0000000000AF0000-0x0000000000B86000-memory.dmp

memory/3016-2-0x0000000005AB0000-0x0000000006054000-memory.dmp

memory/3016-3-0x00000000055A0000-0x0000000005632000-memory.dmp

memory/3016-4-0x0000000005770000-0x0000000005780000-memory.dmp

memory/3016-5-0x0000000005560000-0x000000000556A000-memory.dmp

memory/3016-6-0x0000000005960000-0x000000000597C000-memory.dmp

memory/3016-7-0x0000000005990000-0x00000000059A4000-memory.dmp

memory/3016-8-0x00000000081A0000-0x0000000008204000-memory.dmp

memory/3016-9-0x000000000A8E0000-0x000000000A97C000-memory.dmp

memory/1032-14-0x0000000004D20000-0x0000000004D56000-memory.dmp

memory/3016-15-0x0000000074450000-0x0000000074C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBC2C.tmp

MD5 662dd1977d98bd996c478d524f34872b
SHA1 9928dd6ddc0c225a65a33ec8d3ac924d76cb74b4
SHA256 b8e3ca08eb1184d57c7ca1bfeabe032b3e805b22b9e64780009b3a7a4394046e
SHA512 0aa59f961eb430e5a93d93d763f0f8d1be813cd3a73ee604805d86022092053a92e665b84e8283ba95d370a1503f850fd87ddaa4801952b9d133ac78f1c46054

memory/1032-18-0x0000000005390000-0x00000000059B8000-memory.dmp

memory/1032-19-0x0000000004D10000-0x0000000004D20000-memory.dmp

memory/1032-21-0x0000000004D10000-0x0000000004D20000-memory.dmp

memory/3016-22-0x0000000005770000-0x0000000005780000-memory.dmp

memory/1920-20-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1920-25-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1032-17-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/1920-26-0x0000000000400000-0x0000000000554000-memory.dmp

memory/3016-27-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/1032-29-0x0000000005C20000-0x0000000005C86000-memory.dmp

memory/1032-35-0x0000000005C90000-0x0000000005CF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c4pclpz1.mij.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1032-28-0x0000000005B30000-0x0000000005B52000-memory.dmp

memory/1032-40-0x0000000005E00000-0x0000000006154000-memory.dmp

memory/1032-41-0x00000000062F0000-0x000000000630E000-memory.dmp

memory/1032-42-0x0000000006330000-0x000000000637C000-memory.dmp

memory/1032-43-0x0000000004D10000-0x0000000004D20000-memory.dmp

memory/1032-44-0x000000007EFB0000-0x000000007EFC0000-memory.dmp

memory/1032-45-0x00000000068C0000-0x00000000068F2000-memory.dmp

memory/1032-46-0x00000000713B0000-0x00000000713FC000-memory.dmp

memory/1032-56-0x0000000006890000-0x00000000068AE000-memory.dmp

memory/1032-57-0x00000000074F0000-0x0000000007593000-memory.dmp

memory/1032-59-0x0000000007600000-0x000000000761A000-memory.dmp

memory/1032-58-0x0000000007C40000-0x00000000082BA000-memory.dmp

memory/1032-60-0x0000000007670000-0x000000000767A000-memory.dmp

memory/1920-61-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1032-62-0x0000000007880000-0x0000000007916000-memory.dmp

memory/1032-63-0x0000000007800000-0x0000000007811000-memory.dmp

memory/1032-64-0x0000000007830000-0x000000000783E000-memory.dmp

memory/1032-65-0x0000000007840000-0x0000000007854000-memory.dmp

memory/1032-66-0x0000000007940000-0x000000000795A000-memory.dmp

memory/1032-67-0x0000000007920000-0x0000000007928000-memory.dmp

memory/1920-76-0x0000000003D20000-0x0000000003DA4000-memory.dmp

memory/1032-79-0x0000000074450000-0x0000000074C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 051750e458566ac3eaa9144fdfd913f8
SHA1 3d5de36ff0cb36494907183de851a54837a1e866
SHA256 d1f40e24701e4886aa5fd2d1ec3cfd79ece68493575d3738505f0d33ff2758ef
SHA512 4bfef40a9ad74760db4d174a200a8e4f78c67a50ebb89475f0cfd5b5f12a4b9cfd41bd9fa43be7be910e2c556e259c0f06a7124b0f9cf58a69308ec01854d75d

C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 8279b76e2818ae72b7ad83441586ef93
SHA1 118a7cfa480cd04e9c7b3925b0e38f8df91da030
SHA256 62c2c8081483a54e37566bd487e66b034b74a99bd6aa628d21ad3840ccbecea0
SHA512 1f9a2ce8da94bbd3bb0342c33a61530266b442fa7929b123420be807d7ecb4e1eff01a7d5557b998367039fb87916fc59604a8f475b89088ac9cffea6c7b3421

C:\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 9e72f250a14b8c4ecf34247cea4f29e8
SHA1 57c95f291487b2cfc3f71cb6c2aa53438568599f
SHA256 9eff49e59c7ff4ee0eb557b33d906407ddcd41e7f5a63fcb2319172fb7627b78
SHA512 f9749af4c8084a49c3b64b67e88de11f939cb81d85c9b7ef0331125be0a940165d32e65b57959c6c1fff53d494190aaf3b150aea353448abd1b0cb49423d202f

C:\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 84438359ed1619d6daa438b5f65e4b2f
SHA1 de3b08e2ef843d163a8f6459ae1a4570fdcdb363
SHA256 674af61f26422e1a7d3938ea8ae74e279e7e2083b4f5ad8ccf6c3750e77a6dfb
SHA512 701bc9ae0de8e0411aade3007e200c35afce005dfd7800860082a2ae6bf149e2040f5d120a783167972939eb998927cd1f12b55a9a0cbaa41eda9576115b6bf1

C:\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 ef12ab9d0b231b8f898067b2114b1bc0
SHA1 6d90f27b2105945f9bb77039e8b892070a5f9442
SHA256 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA512 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

C:\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 471c983513694ac3002590345f2be0da
SHA1 6612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256 bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512 a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

memory/1920-98-0x0000000000400000-0x0000000000554000-memory.dmp