F820.tmp.exe

General
Target

F820.tmp.exe

Filesize

813KB

Completed

27-04-2020 03:07

Score
8 /10
MD5

42e683f3f24484bd47f079b114002571

SHA1

4a7840d449e1454561a34c49f7d91224ef892e2c

SHA256

ce90d07b63358dc14f246849d5a04b41692c849cdd2de04c2dc8b0e161a45b3e

Malware Config
Signatures 17

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Suspicious use of WriteProcessMemory
    F820.tmp.exeF820.tmp.exeupdatewin1.exeupdatewin1.exepowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2024 wrote to memory of 16402024F820.tmp.exeicacls.exe
    PID 2024 wrote to memory of 16402024F820.tmp.exeicacls.exe
    PID 2024 wrote to memory of 16402024F820.tmp.exeicacls.exe
    PID 2024 wrote to memory of 16402024F820.tmp.exeicacls.exe
    PID 2024 wrote to memory of 9962024F820.tmp.exeF820.tmp.exe
    PID 2024 wrote to memory of 9962024F820.tmp.exeF820.tmp.exe
    PID 2024 wrote to memory of 9962024F820.tmp.exeF820.tmp.exe
    PID 2024 wrote to memory of 9962024F820.tmp.exeF820.tmp.exe
    PID 996 wrote to memory of 1748996F820.tmp.exeupdatewin1.exe
    PID 996 wrote to memory of 1748996F820.tmp.exeupdatewin1.exe
    PID 996 wrote to memory of 1748996F820.tmp.exeupdatewin1.exe
    PID 996 wrote to memory of 1748996F820.tmp.exeupdatewin1.exe
    PID 996 wrote to memory of 1748996F820.tmp.exeupdatewin1.exe
    PID 996 wrote to memory of 1748996F820.tmp.exeupdatewin1.exe
    PID 996 wrote to memory of 1748996F820.tmp.exeupdatewin1.exe
    PID 1748 wrote to memory of 17801748updatewin1.exeupdatewin1.exe
    PID 1748 wrote to memory of 17801748updatewin1.exeupdatewin1.exe
    PID 1748 wrote to memory of 17801748updatewin1.exeupdatewin1.exe
    PID 1748 wrote to memory of 17801748updatewin1.exeupdatewin1.exe
    PID 1748 wrote to memory of 17801748updatewin1.exeupdatewin1.exe
    PID 1748 wrote to memory of 17801748updatewin1.exeupdatewin1.exe
    PID 1748 wrote to memory of 17801748updatewin1.exeupdatewin1.exe
    PID 996 wrote to memory of 1820996F820.tmp.exeupdatewin2.exe
    PID 996 wrote to memory of 1820996F820.tmp.exeupdatewin2.exe
    PID 996 wrote to memory of 1820996F820.tmp.exeupdatewin2.exe
    PID 996 wrote to memory of 1820996F820.tmp.exeupdatewin2.exe
    PID 996 wrote to memory of 1820996F820.tmp.exeupdatewin2.exe
    PID 996 wrote to memory of 1820996F820.tmp.exeupdatewin2.exe
    PID 996 wrote to memory of 1820996F820.tmp.exeupdatewin2.exe
    PID 1780 wrote to memory of 18401780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 18401780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 18401780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 18401780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 18401780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 18401780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 18401780updatewin1.exepowershell.exe
    PID 996 wrote to memory of 1568996F820.tmp.exe5.exe
    PID 996 wrote to memory of 1568996F820.tmp.exe5.exe
    PID 996 wrote to memory of 1568996F820.tmp.exe5.exe
    PID 996 wrote to memory of 1568996F820.tmp.exe5.exe
    PID 1780 wrote to memory of 15841780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 15841780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 15841780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 15841780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 15841780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 15841780updatewin1.exepowershell.exe
    PID 1780 wrote to memory of 15841780updatewin1.exepowershell.exe
    PID 1584 wrote to memory of 11641584powershell.exepowershell.exe
    PID 1584 wrote to memory of 11641584powershell.exepowershell.exe
    PID 1584 wrote to memory of 11641584powershell.exepowershell.exe
    PID 1584 wrote to memory of 11641584powershell.exepowershell.exe
    PID 1584 wrote to memory of 11641584powershell.exepowershell.exe
    PID 1584 wrote to memory of 11641584powershell.exepowershell.exe
    PID 1584 wrote to memory of 11641584powershell.exepowershell.exe
    PID 1780 wrote to memory of 16961780updatewin1.exempcmdrun.exe
    PID 1780 wrote to memory of 16961780updatewin1.exempcmdrun.exe
    PID 1780 wrote to memory of 16961780updatewin1.exempcmdrun.exe
    PID 1780 wrote to memory of 16961780updatewin1.exempcmdrun.exe
    PID 1780 wrote to memory of 17241780updatewin1.execmd.exe
    PID 1780 wrote to memory of 17241780updatewin1.execmd.exe
    PID 1780 wrote to memory of 17241780updatewin1.execmd.exe
    PID 1780 wrote to memory of 17241780updatewin1.execmd.exe
    PID 1780 wrote to memory of 17241780updatewin1.execmd.exe
    PID 1780 wrote to memory of 17241780updatewin1.execmd.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exepowershell.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1840powershell.exe
    Token: SeDebugPrivilege1584powershell.exe
    Token: SeDebugPrivilege1164powershell.exe
    Token: SeDebugPrivilege1460taskkill.exe
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Drops file in Drivers directory
    updatewin2.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\drivers\etc\hostsupdatewin2.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    1460taskkill.exe
  • Makes http(s) request

    Description

    Contacts server via http/https, possibly for C2 communication.

    Reported IOCs

    descriptionflowioc
    HTTP URL15http://akbz.top/files/penelop/3.exe
    HTTP URL20http://evergladsea.com/517
    HTTP URL20http://evergladsea.com/freebl3.dll
    HTTP URL20http://evergladsea.com/mozglue.dll
    HTTP URL20http://evergladsea.com/msvcp140.dll
    HTTP URL20http://evergladsea.com/vcruntime140.dll
    HTTP URL11http://akbz.top/files/penelop/updatewin1.exe
    HTTP URL12http://akbz.top/ydtftysdtyftysdfsdpen3/get.php?pid=7FE0677D783F4AD4240B4688EDAACCFA&first=true
    HTTP URL31http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    HTTP URL22http://ip-api.com/line/
    HTTP URL14http://akbz.top/files/penelop/updatewin.exe
    HTTP URL20http://evergladsea.com/nss3.dll
    HTTP URL20http://evergladsea.com/
    HTTP URL6http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    HTTP URL9http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    HTTP URL17http://akbz.top/files/penelop/5.exe
    HTTP URL20http://evergladsea.com/softokn3.dll
    HTTP URL13http://akbz.top/files/penelop/updatewin2.exe
    HTTP URL16http://akbz.top/files/penelop/4.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Loads dropped DLL
    F820.tmp.exeupdatewin1.exeupdatewin1.exe5.exe

    Reported IOCs

    pidprocess
    996F820.tmp.exe
    1748updatewin1.exe
    1748updatewin1.exe
    1748updatewin1.exe
    1748updatewin1.exe
    1748updatewin1.exe
    1780updatewin1.exe
    1780updatewin1.exe
    1780updatewin1.exe
    996F820.tmp.exe
    996F820.tmp.exe
    996F820.tmp.exe
    15685.exe
    15685.exe
    15685.exe
    15685.exe
  • Executes dropped EXE
    updatewin1.exeupdatewin1.exeupdatewin2.exe5.exeF820.tmp.exe

    Reported IOCs

    pidprocess
    1748updatewin1.exe
    1780updatewin1.exe
    1820updatewin2.exe
    15685.exe
    700F820.tmp.exe
  • Checks processor information in registry
    5.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\05.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString5.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    1656NOTEPAD.EXE
  • Adds Run entry to start application
    F820.tmp.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5def4699-2071-43af-b361-72c272756e78\\F820.tmp.exe\" --AutoStart"F820.tmp.exe
  • Suspicious behavior: EnumeratesProcesses
    F820.tmp.exeF820.tmp.exepowershell.exepowershell.exe5.exepowershell.exeF820.tmp.exe

    Reported IOCs

    pidprocess
    2024F820.tmp.exe
    2024F820.tmp.exe
    996F820.tmp.exe
    996F820.tmp.exe
    1840powershell.exe
    1840powershell.exe
    1840powershell.exe
    1584powershell.exe
    1584powershell.exe
    15685.exe
    15685.exe
    15685.exe
    15685.exe
    1164powershell.exe
    996F820.tmp.exe
    700F820.tmp.exe
    700F820.tmp.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    21ip-api.com
  • Modifies file permissions
    icacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1640icacls.exe
  • Checks for installed software on the system
    5.exe

    Tags

    TTPs

    Query Registry

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName5.exe
    Key opened\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName5.exe
    Key enumerated\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName5.exe
  • Disables Task Manager via registry modification

    Tags

Processes 19
  • C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe"
    Suspicious use of WriteProcessMemory
    Adds Run entry to start application
    Suspicious behavior: EnumeratesProcesses
    PID:2024
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      Modifies file permissions
      PID:1640
    • C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe" --Admin IsNotAutoStart IsNotTask
      Suspicious use of WriteProcessMemory
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:996
      • C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
        "C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe"
        Suspicious use of WriteProcessMemory
        Loads dropped DLL
        Executes dropped EXE
        PID:1748
        • C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
          "C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe" --Admin
          Suspicious use of WriteProcessMemory
          Loads dropped DLL
          Executes dropped EXE
          PID:1780
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
            Suspicious use of AdjustPrivilegeToken
            Suspicious behavior: EnumeratesProcesses
            PID:1840
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
            Suspicious use of WriteProcessMemory
            Suspicious use of AdjustPrivilegeToken
            Suspicious behavior: EnumeratesProcesses
            PID:1584
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
              Suspicious use of AdjustPrivilegeToken
              Suspicious behavior: EnumeratesProcesses
              PID:1164
          • C:\Program Files\Windows Defender\mpcmdrun.exe
            "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
            PID:1696
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
            PID:1724
      • C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe
        "C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe"
        Drops file in Drivers directory
        Executes dropped EXE
        PID:1820
      • C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe
        "C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe"
        Loads dropped DLL
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Checks for installed software on the system
        PID:1568
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe & exit
          PID:1580
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im 5.exe /f
            Suspicious use of AdjustPrivilegeToken
            Kills process with taskkill
            PID:1460
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    PID:1388
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {969DBEDC-FA5C-43ED-ADFC-B54FB9707DB8} S-1-5-21-3765897441-2376744223-3151462503-1000:BKIWADLA\Admin:Interactive:[1]
    PID:520
    • C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exe
      C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exe --Task
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:700
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    PID:1772
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt
    Opens file in notepad (likely ransom note)
    PID:1656
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                • C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe

                • C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe

                • C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe

                • C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exe

                • C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exe

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_05471756-4b9c-45e9-8ddd-05fab605d637

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1d59a429-221c-4f91-aca4-cb149fe0cdc3

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_20b90e15-f237-499e-a823-6772568bf000

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_37386d62-281a-4a91-a575-6755e45f3238

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5028523d-10aa-4674-b3d1-9db9e7b9fbf6

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a24b3c29-8785-47a4-90c7-9951cb5bf055

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b3feaac6-0199-4ad4-87ff-a4b7cbd02223

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

                • C:\Users\Admin\AppData\Local\Temp\delself.bat

                • C:\Users\Admin\AppData\Local\script.ps1

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                • C:\_readme.txt

                • \ProgramData\mozglue.dll

                • \ProgramData\msvcp140.dll

                • \ProgramData\nss3.dll

                • \ProgramData\vcruntime140.dll

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe

                • \Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe

                • memory/700-928-0x00000000045B0000-0x00000000045C1000-memory.dmp

                • memory/700-927-0x0000000002D30000-0x0000000002DC1000-memory.dmp

                • memory/996-56-0x0000000005DB0000-0x0000000005DC1000-memory.dmp

                • memory/996-4-0x0000000004770000-0x0000000004781000-memory.dmp

                • memory/996-57-0x00000000061C0000-0x00000000061D1000-memory.dmp

                • memory/996-59-0x0000000005DB0000-0x0000000005DC1000-memory.dmp

                • memory/996-3-0x0000000000320000-0x00000000003B1000-memory.dmp

                • memory/1568-31-0x000000000030A000-0x000000000030B000-memory.dmp

                • memory/1568-32-0x0000000000B70000-0x0000000000B81000-memory.dmp

                • memory/1748-12-0x0000000002000000-0x0000000002011000-memory.dmp

                • memory/1748-13-0x00000000005D0000-0x00000000005D1000-memory.dmp

                • memory/1780-20-0x0000000001FB0000-0x0000000001FC1000-memory.dmp

                • memory/1780-23-0x0000000000512000-0x0000000000513000-memory.dmp

                • memory/1820-25-0x000000000059F000-0x00000000005A0000-memory.dmp

                • memory/1820-24-0x0000000001F30000-0x0000000001F41000-memory.dmp

                • memory/2024-0-0x0000000000300000-0x0000000000391000-memory.dmp

                • memory/2024-1-0x00000000045B0000-0x00000000045C1000-memory.dmp