Analysis Overview
SHA256
bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
Threat Level: Known bad
The file 8663ed0caec9adcb980a4a7ea23e7984.exe was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Oski
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Deletes itself
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-02 06:03
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-02 06:03
Reported
2021-08-02 06:05
Platform
win10v20210410
Max time kernel
85s
Max time network
114s
Command Line
Signatures
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2112 set thread context of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD121.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2416 & erase C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe & RD /S /Q C:\\ProgramData\\150367815699766\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2416
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | fine.le-pearl.com | udp |
| N/A | 108.167.158.96:80 | fine.le-pearl.com | tcp |
Files
memory/2112-114-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
memory/2112-116-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/2112-117-0x0000000005430000-0x0000000005431000-memory.dmp
memory/2112-118-0x0000000005580000-0x0000000005A7E000-memory.dmp
memory/2112-119-0x0000000005410000-0x0000000005411000-memory.dmp
memory/2112-120-0x0000000005820000-0x0000000005821000-memory.dmp
memory/2112-121-0x0000000002ED0000-0x0000000002EDD000-memory.dmp
memory/2112-122-0x00000000081D0000-0x000000000826A000-memory.dmp
memory/2112-123-0x0000000008180000-0x00000000081B3000-memory.dmp
memory/1768-124-0x0000000000000000-mapping.dmp
memory/2072-125-0x0000000000000000-mapping.dmp
memory/2276-126-0x0000000000000000-mapping.dmp
memory/1768-129-0x0000000006EC0000-0x0000000006EC1000-memory.dmp
memory/1768-132-0x0000000007650000-0x0000000007651000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD121.tmp
| MD5 | 827f1a3d88da0cb6cc0c77bde43f4d68 |
| SHA1 | 0e48618e9597894312dd14a791441e906f9c6c5d |
| SHA256 | a06b8b045cd2a247a7a321c7411d9f81cdb125820ce043f37a720f046293331e |
| SHA512 | dec0938cc63b5671aa53b176116086eea022cae536ca4c18130102481ff028d7686e28afd2c91c126862b35c978755f71cdd35c349876063c1d4ab8b1e882959 |
memory/3968-136-0x0000000000000000-mapping.dmp
memory/2416-137-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2416-138-0x000000000040717B-mapping.dmp
memory/2072-139-0x0000000007210000-0x0000000007211000-memory.dmp
memory/2072-141-0x00000000073B0000-0x00000000073B1000-memory.dmp
memory/2072-144-0x0000000007420000-0x0000000007421000-memory.dmp
memory/1768-146-0x0000000007010000-0x0000000007011000-memory.dmp
memory/3968-150-0x0000000004992000-0x0000000004993000-memory.dmp
memory/2072-148-0x0000000007D60000-0x0000000007D61000-memory.dmp
memory/2072-153-0x0000000006EA0000-0x0000000006EA1000-memory.dmp
memory/1768-152-0x0000000007012000-0x0000000007013000-memory.dmp
memory/2416-156-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2072-155-0x0000000006EA2000-0x0000000006EA3000-memory.dmp
memory/3968-157-0x0000000004990000-0x0000000004991000-memory.dmp
memory/2072-162-0x0000000007B30000-0x0000000007B31000-memory.dmp
memory/2072-164-0x0000000008640000-0x0000000008641000-memory.dmp
memory/2072-168-0x0000000008390000-0x0000000008391000-memory.dmp
memory/2072-188-0x0000000009160000-0x0000000009193000-memory.dmp
memory/2072-201-0x000000007E920000-0x000000007E921000-memory.dmp
memory/3968-209-0x000000007F3A0000-0x000000007F3A1000-memory.dmp
memory/2072-210-0x0000000009140000-0x0000000009141000-memory.dmp
memory/1768-205-0x000000007F730000-0x000000007F731000-memory.dmp
memory/2072-226-0x00000000092B0000-0x00000000092B1000-memory.dmp
memory/4076-229-0x0000000000000000-mapping.dmp
memory/3424-235-0x0000000000000000-mapping.dmp
memory/2072-244-0x0000000006EA3000-0x0000000006EA4000-memory.dmp
memory/3968-246-0x0000000004993000-0x0000000004994000-memory.dmp
memory/1768-247-0x0000000007013000-0x0000000007014000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c47b22e90b7c07ee61c9cac8d013b5de |
| SHA1 | 70a037b16b49285780782e8ceb9ab4053871ce78 |
| SHA256 | 3294f037d78de491f2464dad68d5492e13cfaa7aaf97f9b63b33602023911b7b |
| SHA512 | c77100fab644095c0b4788d03531e1a64d0856fd65bfee560ab1318ce786ed5a709943c5ab6646200fdcec2caa7d9acb580cb3134ce821d5e583fde6de040323 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0fc8fe76cb074e745c52a409cef7e8f9 |
| SHA1 | 9137974467fc0f9002a704fd71aad3c1fbe18cc2 |
| SHA256 | 64b4035920671ea810763d0d3aedc5b59c360e326021e762e33019a17fecc115 |
| SHA512 | e345ab7d40fefda0b7c8b2dc0f4d38a3e1733f5699d08e7d616508d046ad03e35c300b74538f882e8b887e345cf0cd40599d4f2a353e94c70cbfa6c294223b4e |
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-02 06:03
Reported
2021-08-02 06:05
Platform
win7v20210410
Max time kernel
54s
Max time network
56s
Command Line
Signatures
Oski
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2020 set thread context of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCF7.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 864 & erase C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe & RD /S /Q C:\\ProgramData\\234931577592226\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 864
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | fine.le-pearl.com | udp |
| N/A | 108.167.158.96:80 | fine.le-pearl.com | tcp |
Files
memory/2020-59-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2020-61-0x0000000004410000-0x0000000004411000-memory.dmp
memory/2020-62-0x00000000003A0000-0x00000000003AD000-memory.dmp
memory/2020-63-0x00000000094A0000-0x000000000953A000-memory.dmp
memory/2020-64-0x0000000000590000-0x00000000005C3000-memory.dmp
memory/1904-65-0x0000000000000000-mapping.dmp
memory/1904-66-0x0000000076281000-0x0000000076283000-memory.dmp
memory/764-67-0x0000000000000000-mapping.dmp
memory/992-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | e4b16ffe0cf879717a38395db6d4d0b0 |
| SHA1 | c81cb4dff4a3b4087995637d2028328f05e2af5d |
| SHA256 | 1f9d7efb33cf97d11577637148f994ac334b1625787c670db552283ae8642485 |
| SHA512 | f13f7555cf156ab1f63a06b40c4ea26019ca19e82843276c9f1e4c847bc6265e72d76c2c9f1b4b0c44893e0fd6f09c318820cac85187231a662aba5819d75f04 |
C:\Users\Admin\AppData\Local\Temp\tmpDCF7.tmp
| MD5 | bf64d4a655b245b1bd560dc86f73e713 |
| SHA1 | 1d4f7d13342afec5792fc9b185b61bed22e2ac0a |
| SHA256 | 300263401335f862275dbb971f8b50f9b4c6bbb7cc6059363d333755861b9050 |
| SHA512 | f063c9b7fd140d7a8807e5d10042f5136283db4f3d7e40089b3345b4ea9a818e01aab53ab09f23efd0cf1f120667010dcec41762eb0d5923928fa4147124b931 |
memory/764-72-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/1904-74-0x0000000004720000-0x0000000004721000-memory.dmp
memory/1176-76-0x0000000000000000-mapping.dmp
memory/864-78-0x000000000040717B-mapping.dmp
memory/864-77-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | e4b16ffe0cf879717a38395db6d4d0b0 |
| SHA1 | c81cb4dff4a3b4087995637d2028328f05e2af5d |
| SHA256 | 1f9d7efb33cf97d11577637148f994ac334b1625787c670db552283ae8642485 |
| SHA512 | f13f7555cf156ab1f63a06b40c4ea26019ca19e82843276c9f1e4c847bc6265e72d76c2c9f1b4b0c44893e0fd6f09c318820cac85187231a662aba5819d75f04 |
memory/764-87-0x00000000047B0000-0x00000000047B1000-memory.dmp
memory/1904-88-0x00000000046E0000-0x00000000046E1000-memory.dmp
memory/764-84-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/1904-89-0x00000000046E2000-0x00000000046E3000-memory.dmp
memory/764-90-0x00000000047B2000-0x00000000047B3000-memory.dmp
memory/864-91-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1176-92-0x0000000004960000-0x0000000004961000-memory.dmp
memory/1176-93-0x0000000004962000-0x0000000004963000-memory.dmp
memory/1176-94-0x0000000005300000-0x0000000005301000-memory.dmp
memory/1904-99-0x0000000005FF0000-0x0000000005FF1000-memory.dmp
memory/1904-104-0x0000000006090000-0x0000000006091000-memory.dmp
memory/1904-105-0x0000000006120000-0x0000000006121000-memory.dmp
memory/1904-112-0x0000000006280000-0x0000000006281000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 22150132e3fdc4fbff43d95243dd2dc4 |
| SHA1 | 127b211a35307fac44eb9ba9ea79a8c3144d8892 |
| SHA256 | bf776920691469e02a26103fdcaf37d6858adeaaf65316289119057b6d52a316 |
| SHA512 | 1bd49a1a232048a0934bca40fedccccc67eb355565cb0b8aa5eeb21c3afe9b1e21364450203a0a0dfc042f83172cb1364f4b1704a2d835749bfdfb2b00a8a2fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9
| MD5 | b6d38f250ccc9003dd70efd3b778117f |
| SHA1 | d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a |
| SHA256 | 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265 |
| SHA512 | 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b
| MD5 | df44874327d79bd75e4264cb8dc01811 |
| SHA1 | 1396b06debed65ea93c24998d244edebd3c0209d |
| SHA256 | 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181 |
| SHA512 | 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5
| MD5 | 02ff38ac870de39782aeee04d7b48231 |
| SHA1 | 0390d39fa216c9b0ecdb38238304e518fb2b5095 |
| SHA256 | fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876 |
| SHA512 | 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba
| MD5 | 75a8da7754349b38d64c87c938545b1b |
| SHA1 | 5c28c257d51f1c1587e29164cc03ea880c21b417 |
| SHA256 | bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96 |
| SHA512 | 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598
| MD5 | 5e3c7184a75d42dda1a83606a45001d8 |
| SHA1 | 94ca15637721d88f30eb4b6220b805c5be0360ed |
| SHA256 | 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59 |
| SHA512 | fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370
| MD5 | be4d72095faf84233ac17b94744f7084 |
| SHA1 | cc78ce5b9c57573bd214a8f423ee622b00ebb1ec |
| SHA256 | b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc |
| SHA512 | 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
| MD5 | a725bb9fafcf91f3c6b7861a2bde6db2 |
| SHA1 | 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114 |
| SHA256 | 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431 |
| SHA512 | 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | eb1e7aeafa13900c56e4f3751260699e |
| SHA1 | aae3c534fe4a465b8e5bc104387ed30029c3854f |
| SHA256 | baa2076ea666d353cb8c213e9613322135de4be06d52b5882d8297d6b003b3b0 |
| SHA512 | 74ec4c2236fcc49e082871628ab563a7407a3fcf8fcd751c5152ed0be272e82476bd6ef6052bfd2948ecf4aa3d9eb6c3a09a406e1143e031359b17e2f48430ad |
memory/1904-122-0x0000000005610000-0x0000000005611000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | eb1e7aeafa13900c56e4f3751260699e |
| SHA1 | aae3c534fe4a465b8e5bc104387ed30029c3854f |
| SHA256 | baa2076ea666d353cb8c213e9613322135de4be06d52b5882d8297d6b003b3b0 |
| SHA512 | 74ec4c2236fcc49e082871628ab563a7407a3fcf8fcd751c5152ed0be272e82476bd6ef6052bfd2948ecf4aa3d9eb6c3a09a406e1143e031359b17e2f48430ad |
memory/1904-131-0x000000007EF30000-0x000000007EF31000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
| MD5 | a725bb9fafcf91f3c6b7861a2bde6db2 |
| SHA1 | 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114 |
| SHA256 | 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431 |
| SHA512 | 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 99eb3cdec9b9c1aebf6198a1196ab051 |
| SHA1 | 813ffd24fa4034923878a994c3e41959a6cde937 |
| SHA256 | cb7abc836a02add2ee2f6c600cedca5ed52981cd88e650ca99df2e291e28f13d |
| SHA512 | e9d01d38b3590079ee309c0ae18b8cc86e3f65f8ad6e26c6650049df1dce8fa7ab969ece5a35d114490f8d2368568eca1beaba2e4aa5a6379e2c15f14e48edd7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb
| MD5 | 597009ea0430a463753e0f5b1d1a249e |
| SHA1 | 4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62 |
| SHA256 | 3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d |
| SHA512 | 5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d |
memory/1904-141-0x0000000006500000-0x0000000006501000-memory.dmp
memory/1904-142-0x0000000006510000-0x0000000006511000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | a520143aae388e298a6a907165b950f0 |
| SHA1 | f632ed2f9fe6b66c0b06f1f06009e93c404f7d4d |
| SHA256 | 76b60e7024b4d44a3c3e267c665741d5e6d57a0bf169f59d812f42e98bb8cf00 |
| SHA512 | 89ccdb63ea2017bccbe914cbe337cb7da14a2e10ed71c9132f09cc85fae442f20c4eb9918b7b035fa5978b237d9a008906f0bea067b3cb6873e0104abbc559a8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b2a0b8dc-4bf5-420c-92cd-7ab9a73e6edc
| MD5 | 354b8209f647a42e2ce36d8cf326cc92 |
| SHA1 | 98c3117f797df69935f8b09fc9e95accfe3d8346 |
| SHA256 | feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239 |
| SHA512 | 420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_af390788-5f4f-4757-889f-27d9fc7bb486
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0a473e99-eec7-4fb9-88b5-3b105087e796
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_75931faf-b82f-4394-9278-147095ca67f2
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | b7fb6af48e7f7c15c078a307211c4d22 |
| SHA1 | c6887ec9190ccd242eafff1221e8467dbddb2dd0 |
| SHA256 | b95fcc831429e1e7ff7cf66c087606e085e0dbc7d4aa4a9be149d1f64e2f3d0d |
| SHA512 | 2be2d8b5422d833b98c4a9628e15460a80ae89706431ec0bf5c129d92b4205f4bd78e7d6b615fd0ac2d24612ddbe329e9da6045bb90dfec7035e43b66e3c2c5f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 580f45c6b768d645d3fd10cff1d1d774 |
| SHA1 | e228229ad273aeb1db26ec99b00d8ee923d134fb |
| SHA256 | ee016f5efa7e9b8e1fe626e44c878c12eb0f441aca795f992c8944870494f451 |
| SHA512 | 608818c4aa0000bb51b817cdbd2e5a95f827ec9d6c679a4b49e5e334702d7e598ad7225076f947332072f36096a958aac8142127e15d43b6fdea3bef216becf3 |
memory/824-168-0x0000000000000000-mapping.dmp
memory/1148-169-0x0000000000000000-mapping.dmp