Malware Analysis Report

2025-03-15 06:28

Sample ID 240203-qmf7cscfap
Target 8c6dbdcb891eed5791ba148e6c94db96
SHA256 45370b4183ae64e58f5d5bf332f6f811117b7b16f31d4c535d67595e66748209
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45370b4183ae64e58f5d5bf332f6f811117b7b16f31d4c535d67595e66748209

Threat Level: Known bad

The file 8c6dbdcb891eed5791ba148e6c94db96 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-03 13:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 13:22

Reported

2024-02-03 13:25

Platform

win7-20231215-en

Max time kernel

39s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\000000 = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\00000.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 624 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe

"C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 000000 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 000000 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"

Network

Country Destination Domain Proto
BY 178.124.140.145:28199 tcp
BY 178.124.140.145:28199 tcp
BY 178.124.140.145:28199 tcp
BY 178.124.140.145:28199 tcp

Files

memory/624-0-0x0000000001170000-0x00000000011CA000-memory.dmp

memory/624-1-0x0000000074130000-0x000000007481E000-memory.dmp

memory/624-2-0x00000000001E0000-0x00000000001F6000-memory.dmp

memory/624-3-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/624-4-0x0000000074130000-0x000000007481E000-memory.dmp

memory/624-5-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/624-7-0x0000000074130000-0x000000007481E000-memory.dmp

memory/2804-10-0x0000000074170000-0x000000007471B000-memory.dmp

memory/2804-12-0x0000000002E20000-0x0000000002E60000-memory.dmp

memory/2804-11-0x0000000074170000-0x000000007471B000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe

MD5 98f5bea68623cc9a42a4ac6376221b33
SHA1 f69cf62a37226c06cb6cb00e6fd0230fc3c01c84
SHA256 71f7d0545ee818309950543f2f9c38815161e1a4facfdc631b6ca3623e3de4d8
SHA512 f32b825a8a731158b489a47085984d10825fdd02301f7287fd62adbf594b954e5e39ca0ff9a3c77587881ab416b27d9fe3a99c627630e92de39aaa9653caabe6

memory/2576-18-0x00000000001B0000-0x00000000001C6000-memory.dmp

memory/2804-17-0x0000000074170000-0x000000007471B000-memory.dmp

memory/2576-16-0x0000000000380000-0x00000000003DA000-memory.dmp

memory/2576-19-0x0000000070130000-0x000000007081E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe

MD5 8c6dbdcb891eed5791ba148e6c94db96
SHA1 f4728f3817ea61b754da9adc0173db8a93855b56
SHA256 45370b4183ae64e58f5d5bf332f6f811117b7b16f31d4c535d67595e66748209
SHA512 4877a99f4412f5b90b59c5a263f877a5d7a049621e967e21a9d7e01265b6a6f2eac3a3bff116bf4ee056ba433deb2d94ee60a6a885b55ec432acbd343219f449

memory/2576-20-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2576-21-0x0000000070130000-0x000000007081E000-memory.dmp

memory/2576-22-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2140-23-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2140-24-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2140-25-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2140-26-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2140-27-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2140-28-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2140-29-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2140-30-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2140-31-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2140-35-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2140-34-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2576-33-0x0000000070130000-0x000000007081E000-memory.dmp

memory/2140-36-0x0000000000400000-0x0000000000551000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 13:22

Reported

2024-02-03 13:25

Platform

win10v2004-20231215-en

Max time kernel

135s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000000 = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\00000.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2812 set thread context of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1492 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1492 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 2812 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe
PID 3996 wrote to memory of 2812 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe
PID 3996 wrote to memory of 2812 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2812 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe

"C:\Users\Admin\AppData\Local\Temp\8c6dbdcb891eed5791ba148e6c94db96.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 000000 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 000000 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
BY 178.124.140.145:28199 tcp
BY 178.124.140.145:28199 tcp
BY 178.124.140.145:28199 tcp

Files

memory/1748-0-0x0000000000670000-0x00000000006CA000-memory.dmp

memory/1748-1-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1748-3-0x00000000029D0000-0x00000000029E6000-memory.dmp

memory/1748-2-0x00000000056E0000-0x0000000005C84000-memory.dmp

memory/1748-4-0x0000000005130000-0x00000000051C2000-memory.dmp

memory/1748-5-0x0000000005050000-0x0000000005072000-memory.dmp

memory/1748-6-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/1748-7-0x0000000005CE0000-0x0000000005D24000-memory.dmp

memory/1748-8-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1748-9-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/1748-12-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/3996-15-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/3996-14-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/3996-16-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/3996-13-0x0000000002E60000-0x0000000002E96000-memory.dmp

memory/3996-17-0x0000000005820000-0x0000000005E48000-memory.dmp

memory/3996-18-0x0000000005FC0000-0x0000000006026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bj2heogq.cs5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3996-19-0x0000000006120000-0x0000000006186000-memory.dmp

memory/3996-29-0x0000000006290000-0x00000000065E4000-memory.dmp

memory/3996-30-0x0000000006750000-0x000000000676E000-memory.dmp

memory/3996-31-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/3996-33-0x0000000006C40000-0x0000000006C5A000-memory.dmp

memory/3996-34-0x0000000006C90000-0x0000000006CB2000-memory.dmp

memory/3996-32-0x0000000007700000-0x0000000007796000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe

MD5 c5aa0fc2ac7376bb68bf20fe24eb1038
SHA1 156c3112c50013a2bf68fb84c8460176ed65c70b
SHA256 0840ed7b2c828a7b4844cf7b2075a8691f4631a6bcfde133a02badb9e0143036
SHA512 372114042cabf97ef6168e4eb1ec12c76fdbd7391945d54575783e34721afcaf79df3bf71a161d0c9f70dc5bcc3446b3d1d2e2d2ec90e587fab0db8d56ae4e44

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\00000.exe

MD5 ee1ba20e1123e7a66851d1556631e1a8
SHA1 7d4075b2eaf6d71a9fe758a221c4a6a6f1b068ea
SHA256 06cfc90f9be820ae6641b4fccd86dbde8ae6d578c86b390e0b903ff87f3a7d75
SHA512 f610c519b2f86652c4f76865330cdae70bbf35bcff6dcd1796cf7ddf593021cf5f354e9d04184cf5c224775922d5c49b07e3cb5a319ecad9b8629cf0e44ed4d1

memory/2812-40-0x00000000015B0000-0x00000000015C6000-memory.dmp

memory/3996-41-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/2812-39-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/2812-42-0x0000000005980000-0x0000000005990000-memory.dmp

memory/2812-43-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/2812-44-0x0000000005980000-0x0000000005990000-memory.dmp

memory/4004-45-0x0000000000400000-0x0000000000551000-memory.dmp

memory/2812-49-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/4004-48-0x0000000000400000-0x0000000000551000-memory.dmp

memory/4004-50-0x0000000000400000-0x0000000000551000-memory.dmp

memory/4004-51-0x0000000000400000-0x0000000000551000-memory.dmp