Malware Analysis Report

2025-06-16 03:09

Sample ID 210802-se9y5plm76
Target 8663ed0caec9adcb980a4a7ea23e7984.exe
SHA256 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
Tags
oski discovery infostealer spyware stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750

Threat Level: Known bad

The file 8663ed0caec9adcb980a4a7ea23e7984.exe was found to be: Known bad.

Malicious Activity Summary

oski discovery infostealer spyware stealer suricata

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

Oski

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Deletes itself

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-02 06:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-02 06:03

Reported

2021-08-02 06:05

Platform

win10v20210410

Max time kernel

85s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

Signatures

Oski

infostealer oski

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2112 set thread context of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2112 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2112 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2112 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2112 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2112 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2112 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2112 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2112 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2112 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2112 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2112 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2416 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\cmd.exe
PID 4076 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4076 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4076 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD121.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 2416 & erase C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe & RD /S /Q C:\\ProgramData\\150367815699766\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 2416

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 fine.le-pearl.com udp
N/A 108.167.158.96:80 fine.le-pearl.com tcp

Files

memory/2112-114-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/2112-116-0x0000000005A80000-0x0000000005A81000-memory.dmp

memory/2112-117-0x0000000005430000-0x0000000005431000-memory.dmp

memory/2112-118-0x0000000005580000-0x0000000005A7E000-memory.dmp

memory/2112-119-0x0000000005410000-0x0000000005411000-memory.dmp

memory/2112-120-0x0000000005820000-0x0000000005821000-memory.dmp

memory/2112-121-0x0000000002ED0000-0x0000000002EDD000-memory.dmp

memory/2112-122-0x00000000081D0000-0x000000000826A000-memory.dmp

memory/2112-123-0x0000000008180000-0x00000000081B3000-memory.dmp

memory/1768-124-0x0000000000000000-mapping.dmp

memory/2072-125-0x0000000000000000-mapping.dmp

memory/2276-126-0x0000000000000000-mapping.dmp

memory/1768-129-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

memory/1768-132-0x0000000007650000-0x0000000007651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD121.tmp

MD5 827f1a3d88da0cb6cc0c77bde43f4d68
SHA1 0e48618e9597894312dd14a791441e906f9c6c5d
SHA256 a06b8b045cd2a247a7a321c7411d9f81cdb125820ce043f37a720f046293331e
SHA512 dec0938cc63b5671aa53b176116086eea022cae536ca4c18130102481ff028d7686e28afd2c91c126862b35c978755f71cdd35c349876063c1d4ab8b1e882959

memory/3968-136-0x0000000000000000-mapping.dmp

memory/2416-137-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2416-138-0x000000000040717B-mapping.dmp

memory/2072-139-0x0000000007210000-0x0000000007211000-memory.dmp

memory/2072-141-0x00000000073B0000-0x00000000073B1000-memory.dmp

memory/2072-144-0x0000000007420000-0x0000000007421000-memory.dmp

memory/1768-146-0x0000000007010000-0x0000000007011000-memory.dmp

memory/3968-150-0x0000000004992000-0x0000000004993000-memory.dmp

memory/2072-148-0x0000000007D60000-0x0000000007D61000-memory.dmp

memory/2072-153-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

memory/1768-152-0x0000000007012000-0x0000000007013000-memory.dmp

memory/2416-156-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2072-155-0x0000000006EA2000-0x0000000006EA3000-memory.dmp

memory/3968-157-0x0000000004990000-0x0000000004991000-memory.dmp

memory/2072-162-0x0000000007B30000-0x0000000007B31000-memory.dmp

memory/2072-164-0x0000000008640000-0x0000000008641000-memory.dmp

memory/2072-168-0x0000000008390000-0x0000000008391000-memory.dmp

memory/2072-188-0x0000000009160000-0x0000000009193000-memory.dmp

memory/2072-201-0x000000007E920000-0x000000007E921000-memory.dmp

memory/3968-209-0x000000007F3A0000-0x000000007F3A1000-memory.dmp

memory/2072-210-0x0000000009140000-0x0000000009141000-memory.dmp

memory/1768-205-0x000000007F730000-0x000000007F731000-memory.dmp

memory/2072-226-0x00000000092B0000-0x00000000092B1000-memory.dmp

memory/4076-229-0x0000000000000000-mapping.dmp

memory/3424-235-0x0000000000000000-mapping.dmp

memory/2072-244-0x0000000006EA3000-0x0000000006EA4000-memory.dmp

memory/3968-246-0x0000000004993000-0x0000000004994000-memory.dmp

memory/1768-247-0x0000000007013000-0x0000000007014000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c47b22e90b7c07ee61c9cac8d013b5de
SHA1 70a037b16b49285780782e8ceb9ab4053871ce78
SHA256 3294f037d78de491f2464dad68d5492e13cfaa7aaf97f9b63b33602023911b7b
SHA512 c77100fab644095c0b4788d03531e1a64d0856fd65bfee560ab1318ce786ed5a709943c5ab6646200fdcec2caa7d9acb580cb3134ce821d5e583fde6de040323

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0fc8fe76cb074e745c52a409cef7e8f9
SHA1 9137974467fc0f9002a704fd71aad3c1fbe18cc2
SHA256 64b4035920671ea810763d0d3aedc5b59c360e326021e762e33019a17fecc115
SHA512 e345ab7d40fefda0b7c8b2dc0f4d38a3e1733f5699d08e7d616508d046ad03e35c300b74538f882e8b887e345cf0cd40599d4f2a353e94c70cbfa6c294223b4e

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-02 06:03

Reported

2021-08-02 06:05

Platform

win7v20210410

Max time kernel

54s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

Signatures

Oski

infostealer oski

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2020 set thread context of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 2020 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe
PID 864 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 824 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 824 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 824 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCF7.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe

"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 864 & erase C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe & RD /S /Q C:\\ProgramData\\234931577592226\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 864

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 fine.le-pearl.com udp
N/A 108.167.158.96:80 fine.le-pearl.com tcp

Files

memory/2020-59-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2020-61-0x0000000004410000-0x0000000004411000-memory.dmp

memory/2020-62-0x00000000003A0000-0x00000000003AD000-memory.dmp

memory/2020-63-0x00000000094A0000-0x000000000953A000-memory.dmp

memory/2020-64-0x0000000000590000-0x00000000005C3000-memory.dmp

memory/1904-65-0x0000000000000000-mapping.dmp

memory/1904-66-0x0000000076281000-0x0000000076283000-memory.dmp

memory/764-67-0x0000000000000000-mapping.dmp

memory/992-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e4b16ffe0cf879717a38395db6d4d0b0
SHA1 c81cb4dff4a3b4087995637d2028328f05e2af5d
SHA256 1f9d7efb33cf97d11577637148f994ac334b1625787c670db552283ae8642485
SHA512 f13f7555cf156ab1f63a06b40c4ea26019ca19e82843276c9f1e4c847bc6265e72d76c2c9f1b4b0c44893e0fd6f09c318820cac85187231a662aba5819d75f04

C:\Users\Admin\AppData\Local\Temp\tmpDCF7.tmp

MD5 bf64d4a655b245b1bd560dc86f73e713
SHA1 1d4f7d13342afec5792fc9b185b61bed22e2ac0a
SHA256 300263401335f862275dbb971f8b50f9b4c6bbb7cc6059363d333755861b9050
SHA512 f063c9b7fd140d7a8807e5d10042f5136283db4f3d7e40089b3345b4ea9a818e01aab53ab09f23efd0cf1f120667010dcec41762eb0d5923928fa4147124b931

memory/764-72-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/1904-74-0x0000000004720000-0x0000000004721000-memory.dmp

memory/1176-76-0x0000000000000000-mapping.dmp

memory/864-78-0x000000000040717B-mapping.dmp

memory/864-77-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e4b16ffe0cf879717a38395db6d4d0b0
SHA1 c81cb4dff4a3b4087995637d2028328f05e2af5d
SHA256 1f9d7efb33cf97d11577637148f994ac334b1625787c670db552283ae8642485
SHA512 f13f7555cf156ab1f63a06b40c4ea26019ca19e82843276c9f1e4c847bc6265e72d76c2c9f1b4b0c44893e0fd6f09c318820cac85187231a662aba5819d75f04

memory/764-87-0x00000000047B0000-0x00000000047B1000-memory.dmp

memory/1904-88-0x00000000046E0000-0x00000000046E1000-memory.dmp

memory/764-84-0x0000000000E00000-0x0000000000E01000-memory.dmp

memory/1904-89-0x00000000046E2000-0x00000000046E3000-memory.dmp

memory/764-90-0x00000000047B2000-0x00000000047B3000-memory.dmp

memory/864-91-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1176-92-0x0000000004960000-0x0000000004961000-memory.dmp

memory/1176-93-0x0000000004962000-0x0000000004963000-memory.dmp

memory/1176-94-0x0000000005300000-0x0000000005301000-memory.dmp

memory/1904-99-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

memory/1904-104-0x0000000006090000-0x0000000006091000-memory.dmp

memory/1904-105-0x0000000006120000-0x0000000006121000-memory.dmp

memory/1904-112-0x0000000006280000-0x0000000006281000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 22150132e3fdc4fbff43d95243dd2dc4
SHA1 127b211a35307fac44eb9ba9ea79a8c3144d8892
SHA256 bf776920691469e02a26103fdcaf37d6858adeaaf65316289119057b6d52a316
SHA512 1bd49a1a232048a0934bca40fedccccc67eb355565cb0b8aa5eeb21c3afe9b1e21364450203a0a0dfc042f83172cb1364f4b1704a2d835749bfdfb2b00a8a2fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9

MD5 b6d38f250ccc9003dd70efd3b778117f
SHA1 d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA256 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA512 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b

MD5 df44874327d79bd75e4264cb8dc01811
SHA1 1396b06debed65ea93c24998d244edebd3c0209d
SHA256 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA512 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5

MD5 02ff38ac870de39782aeee04d7b48231
SHA1 0390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256 fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA512 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba

MD5 75a8da7754349b38d64c87c938545b1b
SHA1 5c28c257d51f1c1587e29164cc03ea880c21b417
SHA256 bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598

MD5 5e3c7184a75d42dda1a83606a45001d8
SHA1 94ca15637721d88f30eb4b6220b805c5be0360ed
SHA256 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512 fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370

MD5 be4d72095faf84233ac17b94744f7084
SHA1 cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256 b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA512 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c

MD5 a725bb9fafcf91f3c6b7861a2bde6db2
SHA1 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA256 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA512 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 eb1e7aeafa13900c56e4f3751260699e
SHA1 aae3c534fe4a465b8e5bc104387ed30029c3854f
SHA256 baa2076ea666d353cb8c213e9613322135de4be06d52b5882d8297d6b003b3b0
SHA512 74ec4c2236fcc49e082871628ab563a7407a3fcf8fcd751c5152ed0be272e82476bd6ef6052bfd2948ecf4aa3d9eb6c3a09a406e1143e031359b17e2f48430ad

memory/1904-122-0x0000000005610000-0x0000000005611000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 eb1e7aeafa13900c56e4f3751260699e
SHA1 aae3c534fe4a465b8e5bc104387ed30029c3854f
SHA256 baa2076ea666d353cb8c213e9613322135de4be06d52b5882d8297d6b003b3b0
SHA512 74ec4c2236fcc49e082871628ab563a7407a3fcf8fcd751c5152ed0be272e82476bd6ef6052bfd2948ecf4aa3d9eb6c3a09a406e1143e031359b17e2f48430ad

memory/1904-131-0x000000007EF30000-0x000000007EF31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c

MD5 a725bb9fafcf91f3c6b7861a2bde6db2
SHA1 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA256 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA512 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 99eb3cdec9b9c1aebf6198a1196ab051
SHA1 813ffd24fa4034923878a994c3e41959a6cde937
SHA256 cb7abc836a02add2ee2f6c600cedca5ed52981cd88e650ca99df2e291e28f13d
SHA512 e9d01d38b3590079ee309c0ae18b8cc86e3f65f8ad6e26c6650049df1dce8fa7ab969ece5a35d114490f8d2368568eca1beaba2e4aa5a6379e2c15f14e48edd7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb

MD5 597009ea0430a463753e0f5b1d1a249e
SHA1 4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA256 3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA512 5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

memory/1904-141-0x0000000006500000-0x0000000006501000-memory.dmp

memory/1904-142-0x0000000006510000-0x0000000006511000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 a520143aae388e298a6a907165b950f0
SHA1 f632ed2f9fe6b66c0b06f1f06009e93c404f7d4d
SHA256 76b60e7024b4d44a3c3e267c665741d5e6d57a0bf169f59d812f42e98bb8cf00
SHA512 89ccdb63ea2017bccbe914cbe337cb7da14a2e10ed71c9132f09cc85fae442f20c4eb9918b7b035fa5978b237d9a008906f0bea067b3cb6873e0104abbc559a8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b2a0b8dc-4bf5-420c-92cd-7ab9a73e6edc

MD5 354b8209f647a42e2ce36d8cf326cc92
SHA1 98c3117f797df69935f8b09fc9e95accfe3d8346
SHA256 feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239
SHA512 420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_af390788-5f4f-4757-889f-27d9fc7bb486

MD5 a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA1 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256 dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA512 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0a473e99-eec7-4fb9-88b5-3b105087e796

MD5 7f79b990cb5ed648f9e583fe35527aa7
SHA1 71b177b48c8bd745ef02c2affad79ca222da7c33
SHA256 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA512 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_75931faf-b82f-4394-9278-147095ca67f2

MD5 d89968acfbd0cd60b51df04860d99896
SHA1 b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA256 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512 b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 b7fb6af48e7f7c15c078a307211c4d22
SHA1 c6887ec9190ccd242eafff1221e8467dbddb2dd0
SHA256 b95fcc831429e1e7ff7cf66c087606e085e0dbc7d4aa4a9be149d1f64e2f3d0d
SHA512 2be2d8b5422d833b98c4a9628e15460a80ae89706431ec0bf5c129d92b4205f4bd78e7d6b615fd0ac2d24612ddbe329e9da6045bb90dfec7035e43b66e3c2c5f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 580f45c6b768d645d3fd10cff1d1d774
SHA1 e228229ad273aeb1db26ec99b00d8ee923d134fb
SHA256 ee016f5efa7e9b8e1fe626e44c878c12eb0f441aca795f992c8944870494f451
SHA512 608818c4aa0000bb51b817cdbd2e5a95f827ec9d6c679a4b49e5e334702d7e598ad7225076f947332072f36096a958aac8142127e15d43b6fdea3bef216becf3

memory/824-168-0x0000000000000000-mapping.dmp

memory/1148-169-0x0000000000000000-mapping.dmp