Malware Analysis Report

2025-06-16 03:09

Sample ID 210807-se31r3l772
Target bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
SHA256 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
Tags
oski discovery infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750

Threat Level: Known bad

The file bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750 was found to be: Known bad.

Malicious Activity Summary

oski discovery infostealer spyware stealer

Oski

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Creates scheduled task(s)

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-07 22:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-07 22:17

Reported

2021-08-07 22:23

Platform

win10v20210408

Max time kernel

105s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"

Signatures

Oski

infostealer oski

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\schtasks.exe
PID 3628 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\schtasks.exe
PID 3628 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\schtasks.exe
PID 3628 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 3628 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
PID 688 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2792 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2792 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe

"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEDF0.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe

"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"

C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe

"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"

C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe

"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"

C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe

"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 688 & erase C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410ab' & RD /S /Q C:\\ProgramData\\021390826612043\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 688

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 fine.le-pearl.com udp
N/A 108.167.158.96:80 fine.le-pearl.com tcp
N/A 82.146.56.118:80 tcp

Files

memory/3628-114-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/3628-116-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/3628-117-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

memory/3628-118-0x0000000004BF0000-0x00000000050EE000-memory.dmp

memory/3628-119-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

memory/3628-120-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

memory/3628-121-0x0000000002550000-0x000000000255D000-memory.dmp

memory/3628-122-0x00000000098E0000-0x000000000997A000-memory.dmp

memory/3628-123-0x0000000007800000-0x0000000007833000-memory.dmp

memory/1484-124-0x0000000000000000-mapping.dmp

memory/3172-125-0x0000000000000000-mapping.dmp

memory/3288-127-0x0000000000000000-mapping.dmp

memory/1484-129-0x0000000006740000-0x0000000006741000-memory.dmp

memory/1484-130-0x0000000006E90000-0x0000000006E91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEDF0.tmp

MD5 8229b450d30b9d1b14c3febe972026ee
SHA1 5fb031ef7f2918ab3bb7d51f3d7dbfab50d22964
SHA256 919eb7c6840a70e585157ad93d71b380a7a1c4061ec866369fcb4c3f0b957b24
SHA512 23e9f915169808457005f7f6610c893245f223370edc4339893c5e3863bff015cec71617d905746ca15cfc7a23478e21f3bbf0448e8713f053126d7ff8b58153

memory/1484-136-0x0000000006E10000-0x0000000006E11000-memory.dmp

memory/1484-137-0x0000000007530000-0x0000000007531000-memory.dmp

memory/1484-139-0x00000000076B0000-0x00000000076B1000-memory.dmp

memory/1596-138-0x0000000000000000-mapping.dmp

memory/688-142-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1484-140-0x0000000007800000-0x0000000007801000-memory.dmp

memory/1484-143-0x0000000006850000-0x0000000006851000-memory.dmp

memory/1484-145-0x0000000006852000-0x0000000006853000-memory.dmp

memory/688-144-0x000000000040717B-mapping.dmp

memory/3172-148-0x0000000004630000-0x0000000004631000-memory.dmp

memory/688-150-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3172-151-0x0000000004632000-0x0000000004633000-memory.dmp

memory/3172-160-0x00000000078C0000-0x00000000078C1000-memory.dmp

memory/3172-162-0x0000000008190000-0x0000000008191000-memory.dmp

memory/1596-164-0x0000000006F70000-0x0000000006F71000-memory.dmp

memory/1596-165-0x0000000006F72000-0x0000000006F73000-memory.dmp

memory/1484-166-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

memory/1484-187-0x0000000008E90000-0x0000000008EC3000-memory.dmp

memory/1484-203-0x000000007F610000-0x000000007F611000-memory.dmp

memory/1484-201-0x0000000008150000-0x0000000008151000-memory.dmp

memory/2792-205-0x0000000000000000-mapping.dmp

memory/3172-208-0x000000007FC50000-0x000000007FC51000-memory.dmp

memory/1484-216-0x0000000008FC0000-0x0000000008FC1000-memory.dmp

memory/3416-236-0x0000000000000000-mapping.dmp

memory/1596-238-0x000000007ED60000-0x000000007ED61000-memory.dmp

memory/1484-241-0x0000000006853000-0x0000000006854000-memory.dmp

memory/3172-244-0x0000000004633000-0x0000000004634000-memory.dmp

memory/1596-245-0x0000000006F73000-0x0000000006F74000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 7247129cd0644457905b7d6bf17fd078
SHA1 dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256 dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA512 9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 6faff0ebd7c3554b8b1b66bdc7a8ed7f
SHA1 cc38cfcd0b4265eb2200f105c9ae46b3809beb72
SHA256 b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a
SHA512 ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7b84e070c8c59625bf3c34d2f4894951
SHA1 72eca728ecd734b99f00222d47bcb6b9ab4fc84d
SHA256 0275f1f25b124bbc7dc39269eec82cb614c86e351ec48a0d2e6e65a0fee87501
SHA512 aeffa19d12df44b9bc33fd509c0ca583b2631c27130fab4fa06edbc2eabe3f6aa9b85557ca1d5b5daed333308119fa130617e1359bb78ee553949f1e1db212c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bef8b4e42653f0f62826fcbf9ffbca09
SHA1 bbf3e48d1a0e45da6c0d17c372f2312631d2b4dd
SHA256 de554f4ddf2f07317e163feead5e45106b8988fae6ff00ef4ea0a6c424921052
SHA512 8f5bfa246fa41b3e1153d32d491b8446e7c5d0ecdc5a437ceb0ae457a44317d02254efd4740491dfd12e1fe825fbf9f90f97b5d65aa2ab79208f0ee09a8099dc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 0b5d94d20be9eecbaed3dddd04143f07
SHA1 c677d0355f4cc7301075a554adc889bce502e15a
SHA256 3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512 395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916