Malware Analysis Report

2024-10-24 16:45

Sample ID 240419-nv4araaf94
Target fa39a305180ccfd7fe227d94f463f900_JaffaCakes118
SHA256 3e6e256f7b7d79667eceba8888a26457124a33e09adc8d4bb8bc883335acd4b0
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e6e256f7b7d79667eceba8888a26457124a33e09adc8d4bb8bc883335acd4b0

Threat Level: Known bad

The file fa39a305180ccfd7fe227d94f463f900_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 11:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 11:43

Reported

2024-04-19 11:46

Platform

win7-20240221-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData:ApplicationData C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\ProgramData\images.exe
PID 1152 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\ProgramData\images.exe
PID 1152 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\ProgramData\images.exe
PID 1152 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\ProgramData\images.exe
PID 2728 wrote to memory of 1616 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1616 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1616 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1616 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1636 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1636 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1636 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1636 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1636 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1636 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 akwz.mypets.ws udp

Files

memory/1152-0-0x0000000076130000-0x0000000076230000-memory.dmp

memory/1152-1-0x00000000005F0000-0x0000000000744000-memory.dmp

memory/1152-4-0x0000000001F80000-0x0000000002A80000-memory.dmp

\ProgramData\images.exe

MD5 fa39a305180ccfd7fe227d94f463f900
SHA1 a97c990b46b5ff05b46dc6778a6f79b92c2618d8
SHA256 3e6e256f7b7d79667eceba8888a26457124a33e09adc8d4bb8bc883335acd4b0
SHA512 4fee67879b3fcb4ec4f16c52dd7d5b87618e4f8af61bc2517062e8a31124ad18b2ac6f7a095bfeafb0d09ad22d4294d856d453dd22b585c32bbb27a5605cbbf0

C:\ProgramData

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1152-22-0x0000000076130000-0x0000000076230000-memory.dmp

memory/1152-20-0x00000000005F0000-0x0000000000744000-memory.dmp

memory/2732-25-0x00000000736A0000-0x0000000073C4B000-memory.dmp

memory/2732-26-0x00000000736A0000-0x0000000073C4B000-memory.dmp

memory/2732-27-0x0000000002240000-0x0000000002280000-memory.dmp

memory/2732-28-0x0000000002240000-0x0000000002280000-memory.dmp

memory/2732-29-0x00000000736A0000-0x0000000073C4B000-memory.dmp

memory/2728-30-0x0000000000770000-0x00000000008C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 88fcb0a3c9ea3ecb1572ca97779303b9
SHA1 268b18db1b2c7a0e6f832c444a9aab17d3140a07
SHA256 b6def0004b5a8349b128a12ac55ec78340ac4f7cc53d232ae79ebe67e279a87d
SHA512 e74d839102cfc0598a3a20ac3e900ce83807de2fbb7acdfd3312a8911fad047c6907333ad23c1de6f714e1390afda535a70404ae5993a62ccb8208958bda5d1c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QLY0EQ0DNB53Q4YIHYLI.temp

MD5 371d1ecda1ce5dbb8e39cb2997ecfadb
SHA1 5ae74c2afff940103de4b5d5bd25688cb8b5d509
SHA256 284d2cbdcfc182f23a569b5ee47f8479a17e5a14c5ea0deead1fb84c321bd25b
SHA512 f235cedd51a16143bfdd53092903035618efcb08433f247dc7f2875f374f46908616d1106e58c60fe3d780f9d2cc3c72d175d65cf1058ff8c6fb2e86306fa4e6

memory/1616-43-0x00000000735C0000-0x0000000073B6B000-memory.dmp

memory/1616-44-0x00000000027F0000-0x0000000002830000-memory.dmp

memory/1616-45-0x00000000735C0000-0x0000000073B6B000-memory.dmp

memory/1616-46-0x00000000027F0000-0x0000000002830000-memory.dmp

memory/1616-47-0x00000000735C0000-0x0000000073B6B000-memory.dmp

memory/1636-49-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1636-48-0x0000000000130000-0x0000000000131000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 11:43

Reported

2024-04-19 11:46

Platform

win10v2004-20240412-en

Max time kernel

154s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData:ApplicationData C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4080 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4080 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\ProgramData\images.exe
PID 4080 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\ProgramData\images.exe
PID 4080 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe C:\ProgramData\images.exe
PID 4776 wrote to memory of 2032 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 2032 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 2032 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 4836 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 4836 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 4836 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 4836 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 4836 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 204.79.197.203:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 akwz.mypets.ws udp
US 8.8.8.8:53 udp

Files

memory/4080-0-0x0000000076010000-0x00000000761B0000-memory.dmp

memory/4080-2-0x0000000002710000-0x0000000003210000-memory.dmp

memory/4080-1-0x0000000003210000-0x0000000003364000-memory.dmp

memory/4080-13-0x0000000076010000-0x00000000761B0000-memory.dmp

C:\ProgramData\images.exe

MD5 fa39a305180ccfd7fe227d94f463f900
SHA1 a97c990b46b5ff05b46dc6778a6f79b92c2618d8
SHA256 3e6e256f7b7d79667eceba8888a26457124a33e09adc8d4bb8bc883335acd4b0
SHA512 4fee67879b3fcb4ec4f16c52dd7d5b87618e4f8af61bc2517062e8a31124ad18b2ac6f7a095bfeafb0d09ad22d4294d856d453dd22b585c32bbb27a5605cbbf0

memory/4080-16-0x0000000003210000-0x0000000003364000-memory.dmp

memory/4080-17-0x0000000076010000-0x00000000761B0000-memory.dmp

memory/4776-19-0x0000000076010000-0x00000000761B0000-memory.dmp

memory/1648-20-0x00000000743B0000-0x0000000074B60000-memory.dmp

memory/1648-22-0x0000000002B40000-0x0000000002B76000-memory.dmp

memory/1648-21-0x0000000005140000-0x0000000005150000-memory.dmp

memory/1648-23-0x0000000005780000-0x0000000005DA8000-memory.dmp

memory/1648-24-0x00000000056A0000-0x00000000056C2000-memory.dmp

memory/1648-27-0x0000000005DB0000-0x0000000005E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2tjkw53q.e0x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1648-31-0x0000000005E20000-0x0000000005E86000-memory.dmp

memory/1648-36-0x0000000006060000-0x00000000063B4000-memory.dmp

memory/1648-37-0x0000000006470000-0x000000000648E000-memory.dmp

memory/1648-38-0x00000000064C0000-0x000000000650C000-memory.dmp

memory/1648-39-0x0000000005140000-0x0000000005150000-memory.dmp

memory/1648-40-0x000000007FDF0000-0x000000007FE00000-memory.dmp

memory/1648-41-0x0000000006A50000-0x0000000006A82000-memory.dmp

memory/1648-42-0x0000000075380000-0x00000000753CC000-memory.dmp

memory/1648-52-0x0000000006A30000-0x0000000006A4E000-memory.dmp

memory/1648-53-0x0000000007660000-0x0000000007703000-memory.dmp

memory/1648-54-0x0000000007DD0000-0x000000000844A000-memory.dmp

memory/1648-55-0x0000000007790000-0x00000000077AA000-memory.dmp

memory/1648-56-0x0000000007800000-0x000000000780A000-memory.dmp

memory/1648-57-0x0000000007A10000-0x0000000007AA6000-memory.dmp

memory/1648-58-0x0000000007990000-0x00000000079A1000-memory.dmp

memory/1648-59-0x00000000079C0000-0x00000000079CE000-memory.dmp

memory/1648-60-0x00000000079D0000-0x00000000079E4000-memory.dmp

memory/1648-61-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

memory/1648-62-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

memory/1648-65-0x00000000743B0000-0x0000000074B60000-memory.dmp

memory/4776-66-0x0000000003490000-0x00000000035E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2032-74-0x00000000743B0000-0x0000000074B60000-memory.dmp

memory/2032-75-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/2032-76-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/2032-77-0x0000000005410000-0x0000000005764000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 766d00b8a163c8f38f6ca0ed73a476b4
SHA1 cc766bf66b13cab5797f67670d9e0030037dba9c
SHA256 7de5e67f4073016ac12b0cb503f88e5e66cc67ae4cc330bf9cd13efa278abad9
SHA512 33e3cbae1bec767cbe7cd3a0360f07041b37145eb141dd47b876728be55ad77b779915a16dde25997008d6d879b5b13f58f6b47d38a55ec7e4ea5db185b63c76

memory/2032-88-0x0000000005B40000-0x0000000005B8C000-memory.dmp

memory/4836-89-0x0000000000890000-0x0000000000891000-memory.dmp

memory/2032-91-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/2032-92-0x000000007FCB0000-0x000000007FCC0000-memory.dmp

memory/2032-93-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/2032-103-0x0000000006D30000-0x0000000006DD3000-memory.dmp

memory/2032-104-0x0000000006FD0000-0x0000000006FE1000-memory.dmp

memory/2032-105-0x0000000007010000-0x0000000007024000-memory.dmp

memory/2032-107-0x00000000743B0000-0x0000000074B60000-memory.dmp