Malware Analysis Report

2024-11-13 14:19

Sample ID 240704-yarfkaxeke
Target !ŞetUp_51286--#PaSꞨKḙy#$$.zip
SHA256 0f94f6a5c219c17ba7c1c5d9be967e576c7a8f0e097a14706b13feed3aaafe7d
Tags
amadey lumma execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f94f6a5c219c17ba7c1c5d9be967e576c7a8f0e097a14706b13feed3aaafe7d

Threat Level: Known bad

The file !ŞetUp_51286--#PaSꞨKḙy#$$.zip was found to be: Known bad.

Malicious Activity Summary

amadey lumma execution spyware stealer trojan

Lumma Stealer

Amadey

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Suspicious use of SetThreadContext

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 19:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-04 19:35

Reported

2024-07-04 19:38

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2152 set thread context of 4616 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 8.8.8.8:53 bouncedgowp.shop udp
US 8.8.8.8:53 bannngwko.shop udp
IE 52.111.236.22:443 tcp

Files

memory/2152-0-0x00007FFF3C640000-0x00007FFF3C65C000-memory.dmp

memory/2152-5-0x00007FFF3C640000-0x00007FFF3C65C000-memory.dmp

memory/2152-4-0x00007FFF3C658000-0x00007FFF3C659000-memory.dmp

memory/2152-6-0x00007FFF3C640000-0x00007FFF3C65C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b65f4664

MD5 e5ec136818bcd9296e897ec1a77e02bb
SHA1 98901f3ef6f1c812eb9fbcb6e9b333b9486b93f9
SHA256 bd407e0e876bbcbeec0a6c95bd9f6edab8d95ffaf0908cf347b6c79f987d2077
SHA512 8969e1bffa65bc760f39aacd3c340b26f6d4ac615d2e695891b2d408ee6836e3b7c754979934f80656e24aaee86254bbccbee6937a554f565606614da29505d1

memory/4616-10-0x00007FFF41F20000-0x00007FFF42129000-memory.dmp

memory/4616-11-0x00000000752D0000-0x00000000752E5000-memory.dmp

memory/4616-13-0x00000000752D0000-0x00000000752E5000-memory.dmp

memory/4616-12-0x00000000752DE000-0x00000000752E0000-memory.dmp

memory/4616-15-0x00000000752D0000-0x00000000752E5000-memory.dmp

memory/1904-16-0x00007FFF41F20000-0x00007FFF42129000-memory.dmp

memory/1904-17-0x0000000000D60000-0x0000000000DB8000-memory.dmp

memory/1904-18-0x000000000072B000-0x0000000000732000-memory.dmp

memory/1904-19-0x0000000000D60000-0x0000000000DB8000-memory.dmp

memory/4616-20-0x00000000752DE000-0x00000000752E0000-memory.dmp

memory/1904-21-0x0000000000D60000-0x0000000000DB8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 19:35

Reported

2024-07-04 19:38

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 19:35

Reported

2024-07-04 19:38

Platform

win10v2004-20240704-en

Max time kernel

145s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

Signatures

Amadey

trojan amadey

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\CefSharp.BrowserSubprocess.job C:\Windows\SysWOW64\comp.exe N/A
File created C:\Windows\Tasks\Managed Machine Service Mini.job C:\Windows\SysWOW64\comp.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com
PID 4604 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com
PID 4604 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com
PID 4604 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com
PID 1552 wrote to memory of 216 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1552 wrote to memory of 216 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1552 wrote to memory of 216 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 1552 wrote to memory of 216 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 216 wrote to memory of 3908 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe
PID 216 wrote to memory of 3908 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe
PID 216 wrote to memory of 3908 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe
PID 3908 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe C:\Windows\SysWOW64\comp.exe
PID 3908 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe C:\Windows\SysWOW64\comp.exe
PID 3908 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe C:\Windows\SysWOW64\comp.exe
PID 216 wrote to memory of 3288 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe
PID 216 wrote to memory of 3288 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe
PID 216 wrote to memory of 3288 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe
PID 3288 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe C:\Windows\SysWOW64\comp.exe
PID 3288 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe C:\Windows\SysWOW64\comp.exe
PID 3288 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe C:\Windows\SysWOW64\comp.exe
PID 3908 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe C:\Windows\SysWOW64\comp.exe
PID 3288 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe C:\Windows\SysWOW64\comp.exe
PID 4212 wrote to memory of 2044 N/A C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\explorer.exe
PID 4212 wrote to memory of 2044 N/A C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\explorer.exe
PID 4212 wrote to memory of 2044 N/A C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\explorer.exe
PID 4172 wrote to memory of 2996 N/A C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\explorer.exe
PID 4172 wrote to memory of 2996 N/A C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\explorer.exe
PID 4172 wrote to memory of 2996 N/A C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\explorer.exe
PID 4212 wrote to memory of 2044 N/A C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\explorer.exe
PID 4212 wrote to memory of 2044 N/A C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\explorer.exe
PID 4172 wrote to memory of 2996 N/A C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\explorer.exe
PID 4172 wrote to memory of 2996 N/A C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\explorer.exe
PID 2996 wrote to memory of 2580 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2580 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 2580 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe

"C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe"

C:\Windows\SysWOW64\comp.exe

C:\Windows\SysWOW64\comp.exe

C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe

"C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe"

C:\Windows\SysWOW64\comp.exe

C:\Windows\SysWOW64\comp.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 68.158.67.172.in-addr.arpa udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 downloadfile123.xyz udp
US 172.67.140.114:443 downloadfile123.xyz tcp
US 8.8.8.8:53 114.140.67.172.in-addr.arpa udp
US 8.8.8.8:53 downloaddining3.com udp
US 8.8.8.8:53 downloaddining.com udp
US 8.8.8.8:53 downloaddining2.com udp
US 172.67.209.34:80 downloaddining2.com tcp
RU 45.140.19.240:80 downloaddining.com tcp
US 172.67.208.139:80 downloaddining3.com tcp
US 8.8.8.8:53 contur2fa.recipeupdates.rest udp
US 172.67.197.250:443 contur2fa.recipeupdates.rest tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 34.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 139.208.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.19.140.45.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 250.197.67.172.in-addr.arpa udp

Files

memory/4604-0-0x00007FF945650000-0x00007FF94566C000-memory.dmp

memory/4604-5-0x00007FF945650000-0x00007FF94566C000-memory.dmp

memory/4604-4-0x00007FF945668000-0x00007FF945669000-memory.dmp

memory/4604-6-0x00007FF945650000-0x00007FF94566C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\563d433

MD5 394f9e41d44bbdbd7b5e9816a0801b3b
SHA1 431ee4529ca5c29c7ff692dc76b83692f3762dbd
SHA256 11f9555e4825e41ab00b47a726f2a95484fdeea780a34508cf60f196eacfb734
SHA512 c3188313126c3f0b222ef86eb379cf9b06968f3667d25e81f4b1c18f106517469d746838982ac19008bd36fa55e575459ad81974de520dd792c81670d48cb5b2

memory/1552-10-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

memory/1552-11-0x0000000074E40000-0x0000000074E54000-memory.dmp

memory/1552-13-0x0000000074E40000-0x0000000074E54000-memory.dmp

memory/1552-12-0x0000000074E4E000-0x0000000074E50000-memory.dmp

memory/1552-15-0x0000000074E40000-0x0000000074E54000-memory.dmp

memory/216-16-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

memory/216-17-0x0000000000D30000-0x0000000000D88000-memory.dmp

memory/216-18-0x0000000000A6B000-0x0000000000A72000-memory.dmp

memory/216-19-0x0000000000D30000-0x0000000000D88000-memory.dmp

memory/1552-20-0x0000000074E4E000-0x0000000074E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe

MD5 024547ee3841ed6035b7bb9866452713
SHA1 8f1c8a12cecaeb4f15f3d2a3332073a0b1aefb36
SHA256 f89e565d3e73984e9b538fba979c8798f06775706cde8ecd1a921c61fecf2d28
SHA512 fc846fa5432d41973f30c4ee16b197079fb344322d1023c5bf31aa1bbab72d53094f2b17422471a292fbc9250dcb176b6ae2b78a883087689ca2bb9db1205545

memory/3908-25-0x0000000000400000-0x0000000000837000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b159923

MD5 d39e706474d16261ec9b1cb57adbd1ee
SHA1 a0b19ed7e6ceb4ef12fedf717f019b1c6f07864a
SHA256 21a8d114f403a17e319eed493d5bd411201fdc8a6077d6da016fba16cc711135
SHA512 0e786655120af5cff93bb574aa1568fccdebcaf0ffe56ce4338a407947b9cc4b34f4e2be6f4300f9d868e5160b5129a98a1c04c359efe3e2ff7a7b365eb12699

memory/3908-31-0x0000000074E40000-0x0000000074E54000-memory.dmp

memory/3908-32-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe

MD5 7c6730f484b1727b976fdad0f565b048
SHA1 c8a4a74d3a6e6025614d689a632dda845a7a8ec1
SHA256 d39f60dbce9c26f2b6336d8b8931f6bcb949022413d602344432eca8cdea8b45
SHA512 a3a763902e78c0d9ebaff810df2208cebfb22dbe9f7059dc641c301f7f88469cd52e1d04eaed9029ec7e045328fa062e56dad5b5b418a6a65a1511c1d266baad

memory/216-36-0x0000000000D30000-0x0000000000D88000-memory.dmp

memory/3288-38-0x0000000000400000-0x0000000000847000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\110d2f45

MD5 388667ede854ace9db095fe44c660697
SHA1 aea9cf775e19bca4aa3d371c2a63c558bb43c77a
SHA256 25e56853d565a313574317ddd22ac95e8c4bb742b3fb0773a4d8dbed62d14b79
SHA512 0c8b5a5385fdd91619c0c271d526a0a8b0dcf7170452b3cd0f4ebb9549ca2761cc9661d86a8a85a90e5db6d884d14ddeeae8c83b1c40e1c0197743220222e94d

memory/3288-45-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

memory/3908-46-0x0000000074E40000-0x0000000074E54000-memory.dmp

memory/3908-48-0x0000000074E40000-0x0000000074E54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e479e61

MD5 893841decbf4c6332ed2875006d01aea
SHA1 56dbe95018c3b2ce9d0d5c3bc6f618bf854ae319
SHA256 24d16abe464ff47607b8cc6f9c46dc2664789b3b6c4cb71bff68f873340f2efa
SHA512 47a6a05a24558df37a276e411d1adc06a4d6caca7230f6fb9f14d88e5b9af8160d11cdbf7626acc34ae204001000cd58393868366853f991d9e89ee7810cbb38

C:\Users\Admin\AppData\Local\Temp\143a3d6b

MD5 1f6c231ab1add6380bcdcadda16d6ac1
SHA1 ad820342b92e92e04584d643f474a7b73dcd3257
SHA256 7ad83f3bf45cbe15e7bc562215544f6233e6354f8e7be26cdd8e3afc91cafef9
SHA512 25e33a57c9b455dcea59df74831aa10f35ec8bd025e7acec472b337733e7f99fbc6c29be6be51331b847a3c65044b151dbc74ba9352e650d3f77f4a29ca064a2

memory/4212-57-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

memory/4172-58-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

memory/4172-60-0x0000000074E40000-0x0000000074E54000-memory.dmp

memory/4212-70-0x0000000074E40000-0x0000000074E54000-memory.dmp

memory/4212-72-0x0000000074E40000-0x0000000074E54000-memory.dmp

memory/4212-80-0x0000000074E40000-0x0000000074E54000-memory.dmp

memory/2044-81-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

memory/2996-83-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 0fb684cc15d197c0b937e5528359d7c8
SHA1 7d963246f52f42012bdcddb31214283c84c954ed
SHA256 e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260
SHA512 c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c

memory/2580-97-0x0000000004F30000-0x0000000004F66000-memory.dmp

memory/2580-98-0x0000000005650000-0x0000000005C78000-memory.dmp

memory/2044-99-0x0000000000DA0000-0x0000000000E07000-memory.dmp

memory/2580-100-0x00000000054F0000-0x0000000005512000-memory.dmp

memory/2580-101-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/2580-102-0x0000000005CF0000-0x0000000005D56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wip2ral0.vuk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2580-112-0x00000000060F0000-0x0000000006444000-memory.dmp

memory/2580-113-0x00000000064C0000-0x00000000064DE000-memory.dmp

memory/2580-114-0x0000000006510000-0x000000000655C000-memory.dmp

memory/2580-116-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

memory/2580-117-0x000000006F240000-0x000000006F28C000-memory.dmp

memory/2580-127-0x0000000006B00000-0x0000000006B1E000-memory.dmp

memory/2580-128-0x0000000007500000-0x00000000075A3000-memory.dmp

memory/2580-129-0x0000000007E40000-0x00000000084BA000-memory.dmp

memory/2580-130-0x0000000007820000-0x000000000783A000-memory.dmp

memory/2580-131-0x0000000007860000-0x000000000786A000-memory.dmp

memory/2580-132-0x0000000007A90000-0x0000000007B26000-memory.dmp

memory/2580-133-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/2996-134-0x00000000006F0000-0x0000000000761000-memory.dmp

memory/2580-135-0x0000000007A30000-0x0000000007A3E000-memory.dmp

memory/2580-136-0x0000000007A40000-0x0000000007A54000-memory.dmp

memory/2580-137-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/2580-138-0x0000000007A70000-0x0000000007A78000-memory.dmp