Malware Analysis Report

2025-03-15 06:25

Sample ID 240213-fm8lhace3z
Target bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
SHA256 bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a

Threat Level: Known bad

The file bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-13 05:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 05:00

Reported

2024-02-13 05:16

Platform

win7-20231215-en

Max time kernel

122s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1252 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1252 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1252 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1252 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 1252 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe

"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IDXJRvJUpAIjP.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp"

C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe

"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 makatti.duckdns.org udp
NL 94.156.68.226:3787 makatti.duckdns.org tcp

Files

memory/1252-0-0x0000000000950000-0x0000000000A30000-memory.dmp

memory/1252-1-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1252-2-0x0000000004410000-0x0000000004450000-memory.dmp

memory/1252-3-0x00000000005D0000-0x00000000005E4000-memory.dmp

memory/1252-4-0x00000000005F0000-0x00000000005FA000-memory.dmp

memory/1252-5-0x0000000000600000-0x000000000060E000-memory.dmp

memory/1252-6-0x0000000004E00000-0x0000000004E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp

MD5 322e236b9a6e946674aa812b89445c49
SHA1 5480cab183ab27489c0a9049fec63fcc7e112738
SHA256 54cf91d836de5e2a1f86a2e972818103af8516868dd621808fd2ba1f40a6de2a
SHA512 16c4997cc8574271916527381bc6cfa683d803f032c24346fba14c94b7686f9fc8cab26deb823ea396bc7c5f66cb25b540bbafa7fe1f3b45b89dc1ef795b62a1

memory/2824-12-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2824-14-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2824-16-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2824-18-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2824-20-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2824-22-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2824-24-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2824-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2824-28-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1252-30-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2824-31-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2824-32-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2824-35-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2960-36-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/2960-37-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/2960-38-0x0000000000450000-0x0000000000490000-memory.dmp

memory/2960-39-0x0000000000450000-0x0000000000490000-memory.dmp

memory/2960-40-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/2824-41-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 05:00

Reported

2024-02-13 05:18

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\schtasks.exe
PID 4372 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\schtasks.exe
PID 4372 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Windows\SysWOW64\schtasks.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe
PID 4372 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe

"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IDXJRvJUpAIjP.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IDXJRvJUpAIjP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE02E.tmp"

C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe

"C:\Users\Admin\AppData\Local\Temp\bc7a00a440550e0b93368e5d1524e9b5a46177f26518803d85268d9d7a1cca8a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 makatti.duckdns.org udp
NL 94.156.68.226:3787 makatti.duckdns.org tcp
US 8.8.8.8:53 226.68.156.94.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/4372-0-0x0000000000DF0000-0x0000000000ED0000-memory.dmp

memory/4372-1-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/4372-2-0x0000000005E90000-0x0000000006434000-memory.dmp

memory/4372-3-0x00000000058E0000-0x0000000005972000-memory.dmp

memory/4372-4-0x0000000005860000-0x0000000005870000-memory.dmp

memory/4372-5-0x0000000005A80000-0x0000000005A8A000-memory.dmp

memory/4372-6-0x00000000085B0000-0x00000000085C4000-memory.dmp

memory/4372-7-0x00000000085E0000-0x00000000085EA000-memory.dmp

memory/4372-8-0x00000000085F0000-0x00000000085FE000-memory.dmp

memory/4372-9-0x0000000008600000-0x0000000008666000-memory.dmp

memory/4372-10-0x000000000AE60000-0x000000000AEFC000-memory.dmp

memory/4876-15-0x00000000027A0000-0x00000000027D6000-memory.dmp

memory/4876-16-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/4876-17-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/4876-18-0x0000000004C00000-0x0000000004C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE02E.tmp

MD5 abec8806ef0d9d9da57ce7eec1d1e297
SHA1 54f3cae6c516024f64f566946ee77888f97b27cf
SHA256 654e0d8fa3b6a73636f20db2e67d5f24668ea6ecc389bd769c814615e0aba20b
SHA512 4b82d1a6724cbfd2f11cb7bc360eb3c1e6ebeb659f93c80612beea60de2ac0071c4a619c088f4ea3d20742d0257bf5a3482050921bec35eb70a1c5b3def7e29f

memory/368-20-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4876-23-0x0000000005240000-0x0000000005868000-memory.dmp

memory/4372-24-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/368-25-0x0000000000400000-0x000000000041D000-memory.dmp

memory/368-26-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4876-27-0x0000000005110000-0x0000000005132000-memory.dmp

memory/4876-33-0x00000000059E0000-0x0000000005A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0efm0qfj.3no.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4876-34-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/368-39-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4876-40-0x0000000005C30000-0x0000000005F84000-memory.dmp

memory/4876-41-0x00000000060D0000-0x00000000060EE000-memory.dmp

memory/4876-42-0x0000000006120000-0x000000000616C000-memory.dmp

memory/4876-43-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/4876-44-0x000000007F550000-0x000000007F560000-memory.dmp

memory/4876-45-0x00000000070B0000-0x00000000070E2000-memory.dmp

memory/4876-46-0x0000000071140000-0x000000007118C000-memory.dmp

memory/4876-56-0x00000000066A0000-0x00000000066BE000-memory.dmp

memory/4876-57-0x00000000072F0000-0x0000000007393000-memory.dmp

memory/4876-58-0x0000000007A30000-0x00000000080AA000-memory.dmp

memory/4876-59-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/4876-60-0x0000000007460000-0x000000000746A000-memory.dmp

memory/4876-61-0x0000000007670000-0x0000000007706000-memory.dmp

memory/4876-62-0x00000000075F0000-0x0000000007601000-memory.dmp

memory/4876-63-0x0000000007620000-0x000000000762E000-memory.dmp

memory/4876-64-0x0000000007630000-0x0000000007644000-memory.dmp

memory/4876-65-0x0000000007730000-0x000000000774A000-memory.dmp

memory/4876-66-0x0000000007710000-0x0000000007718000-memory.dmp

memory/4876-69-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/368-70-0x0000000000400000-0x000000000041D000-memory.dmp