Analysis
-
max time kernel
280s -
max time network
128s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12-05-2020 11:19
Static task
static1
Behavioral task
behavioral1
Sample
E214.tmp.exe
Resource
win7v200430
General
-
Target
E214.tmp.exe
-
Size
818KB
-
MD5
eb6c5d9f2aeed5e494370f4d28a0307b
-
SHA1
bf3d7db88f44c7440e81dd96b83b70038e88e3f5
-
SHA256
fafa82e7a61c1a516bb83c19d0e5ffce99eac17d34bb9280da34c515e1279653
-
SHA512
eb332247ee9006e7b64da251c929a40d38a0cab40e0b47e60c71f4ee0c3f24b887916aebc160f0dc954cf3a8a428c4c264068886155f6376d70481682e59c49d
Malware Config
Extracted
C:\_readme.txt
helpmanager@mail.ch
restoremanager@firemail.cc
https://we.tl/t-PHmSJZS9ey
Signatures
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
E214.tmp.exeE214.tmp.exepowershell.exepowershell.exepowershell.exe5.exeE214.tmp.exepid process 1520 E214.tmp.exe 1796 E214.tmp.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 1856 powershell.exe 1856 powershell.exe 1824 powershell.exe 1952 5.exe 1952 5.exe 1952 5.exe 1952 5.exe 1748 E214.tmp.exe 1796 E214.tmp.exe -
Drops file in Drivers directory 1 IoCs
Processes:
updatewin2.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskkill.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: 33 1748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1748 AUDIODG.EXE Token: 33 1748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1748 AUDIODG.EXE -
Disables Task Manager via registry modification
-
Executes dropped EXE 5 IoCs
Processes:
updatewin1.exeupdatewin2.exeupdatewin1.exe5.exeE214.tmp.exepid process 1144 updatewin1.exe 956 updatewin2.exe 1640 updatewin1.exe 1952 5.exe 1748 E214.tmp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 1920 NOTEPAD.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1920 NOTEPAD.EXE -
Modifies file permissions 1 TTPs 1 IoCs
-
Checks for installed software on the system 1 TTPs 29 IoCs
Processes:
5.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 5.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName 5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ip-api.com -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
E214.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\80f457ce-6e3a-4a8f-b143-ac81ecafd120\\E214.tmp.exe\" --AutoStart" E214.tmp.exe -
Suspicious use of WriteProcessMemory 77 IoCs
Processes:
E214.tmp.exeE214.tmp.exeupdatewin1.exeupdatewin1.exepowershell.exedescription pid process target process PID 1520 wrote to memory of 1532 1520 E214.tmp.exe icacls.exe PID 1520 wrote to memory of 1532 1520 E214.tmp.exe icacls.exe PID 1520 wrote to memory of 1532 1520 E214.tmp.exe icacls.exe PID 1520 wrote to memory of 1532 1520 E214.tmp.exe icacls.exe PID 1520 wrote to memory of 1796 1520 E214.tmp.exe E214.tmp.exe PID 1520 wrote to memory of 1796 1520 E214.tmp.exe E214.tmp.exe PID 1520 wrote to memory of 1796 1520 E214.tmp.exe E214.tmp.exe PID 1520 wrote to memory of 1796 1520 E214.tmp.exe E214.tmp.exe PID 1796 wrote to memory of 1144 1796 E214.tmp.exe updatewin1.exe PID 1796 wrote to memory of 1144 1796 E214.tmp.exe updatewin1.exe PID 1796 wrote to memory of 1144 1796 E214.tmp.exe updatewin1.exe PID 1796 wrote to memory of 1144 1796 E214.tmp.exe updatewin1.exe PID 1796 wrote to memory of 1144 1796 E214.tmp.exe updatewin1.exe PID 1796 wrote to memory of 1144 1796 E214.tmp.exe updatewin1.exe PID 1796 wrote to memory of 1144 1796 E214.tmp.exe updatewin1.exe PID 1796 wrote to memory of 956 1796 E214.tmp.exe updatewin2.exe PID 1796 wrote to memory of 956 1796 E214.tmp.exe updatewin2.exe PID 1796 wrote to memory of 956 1796 E214.tmp.exe updatewin2.exe PID 1796 wrote to memory of 956 1796 E214.tmp.exe updatewin2.exe PID 1796 wrote to memory of 956 1796 E214.tmp.exe updatewin2.exe PID 1796 wrote to memory of 956 1796 E214.tmp.exe updatewin2.exe PID 1796 wrote to memory of 956 1796 E214.tmp.exe updatewin2.exe PID 1144 wrote to memory of 1640 1144 updatewin1.exe updatewin1.exe PID 1144 wrote to memory of 1640 1144 updatewin1.exe updatewin1.exe PID 1144 wrote to memory of 1640 1144 updatewin1.exe updatewin1.exe PID 1144 wrote to memory of 1640 1144 updatewin1.exe updatewin1.exe PID 1144 wrote to memory of 1640 1144 updatewin1.exe updatewin1.exe PID 1144 wrote to memory of 1640 1144 updatewin1.exe updatewin1.exe PID 1144 wrote to memory of 1640 1144 updatewin1.exe updatewin1.exe PID 1640 wrote to memory of 1624 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1624 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1624 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1624 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1624 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1624 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1624 1640 updatewin1.exe powershell.exe PID 1796 wrote to memory of 1952 1796 E214.tmp.exe 5.exe PID 1796 wrote to memory of 1952 1796 E214.tmp.exe 5.exe PID 1796 wrote to memory of 1952 1796 E214.tmp.exe 5.exe PID 1796 wrote to memory of 1952 1796 E214.tmp.exe 5.exe PID 1640 wrote to memory of 1856 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1856 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1856 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1856 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1856 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1856 1640 updatewin1.exe powershell.exe PID 1640 wrote to memory of 1856 1640 updatewin1.exe powershell.exe PID 1856 wrote to memory of 1824 1856 powershell.exe powershell.exe PID 1856 wrote to memory of 1824 1856 powershell.exe powershell.exe PID 1856 wrote to memory of 1824 1856 powershell.exe powershell.exe PID 1856 wrote to memory of 1824 1856 powershell.exe powershell.exe PID 1856 wrote to memory of 1824 1856 powershell.exe powershell.exe PID 1856 wrote to memory of 1824 1856 powershell.exe powershell.exe PID 1856 wrote to memory of 1824 1856 powershell.exe powershell.exe PID 1640 wrote to memory of 1044 1640 updatewin1.exe mpcmdrun.exe PID 1640 wrote to memory of 1044 1640 updatewin1.exe mpcmdrun.exe PID 1640 wrote to memory of 1044 1640 updatewin1.exe mpcmdrun.exe PID 1640 wrote to memory of 1044 1640 updatewin1.exe mpcmdrun.exe PID 1640 wrote to memory of 1768 1640 updatewin1.exe cmd.exe PID 1640 wrote to memory of 1768 1640 updatewin1.exe cmd.exe PID 1640 wrote to memory of 1768 1640 updatewin1.exe cmd.exe PID 1640 wrote to memory of 1768 1640 updatewin1.exe cmd.exe PID 1640 wrote to memory of 1768 1640 updatewin1.exe cmd.exe PID 1640 wrote to memory of 1768 1640 updatewin1.exe cmd.exe -
Loads dropped DLL 16 IoCs
Processes:
E214.tmp.exeupdatewin1.exeupdatewin1.exe5.exepid process 1796 E214.tmp.exe 1144 updatewin1.exe 1144 updatewin1.exe 1144 updatewin1.exe 1796 E214.tmp.exe 1144 updatewin1.exe 1144 updatewin1.exe 1640 updatewin1.exe 1640 updatewin1.exe 1640 updatewin1.exe 1796 E214.tmp.exe 1796 E214.tmp.exe 1952 5.exe 1952 5.exe 1952 5.exe 1952 5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1592 taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe"C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe"C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe"C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe"C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe" --Admin4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe"C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe"C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Checks for installed software on the system
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
-
C:\Windows\system32\taskeng.exetaskeng.exe {7EC98CF2-FA1A-4AF7-9E2B-F6A1BDDA3BCF} S-1-5-21-910373003-3952921535-3480519689-1000:DJRWGDLZ\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exeC:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe --Task2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt1⤵
- Suspicious use of FindShellTrayWindow
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe
-
C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe
-
C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e331f9c7-6ec8-40f5-b318-7a4a05eb497d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
-
C:\Users\Admin\AppData\Local\Temp\delself.bat
-
C:\Users\Admin\AppData\Local\script.ps1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
-
C:\_readme.txt
-
\ProgramData\mozglue.dll
-
\ProgramData\msvcp140.dll
-
\ProgramData\nss3.dll
-
\ProgramData\vcruntime140.dll
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
-
\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe
-
memory/956-25-0x000000000030F000-0x0000000000310000-memory.dmpFilesize
4KB
-
memory/956-19-0x0000000001DB0000-0x0000000001DC1000-memory.dmpFilesize
68KB
-
memory/1144-13-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/1144-12-0x00000000020F0000-0x0000000002101000-memory.dmpFilesize
68KB
-
memory/1520-1-0x0000000000CE0000-0x0000000000CF1000-memory.dmpFilesize
68KB
-
memory/1520-0-0x00000000002D0000-0x0000000000361000-memory.dmpFilesize
580KB
-
memory/1640-23-0x0000000001D40000-0x0000000001D51000-memory.dmpFilesize
68KB
-
memory/1640-24-0x0000000000342000-0x0000000000343000-memory.dmpFilesize
4KB
-
memory/1748-55-0x0000000000220000-0x00000000002B1000-memory.dmpFilesize
580KB
-
memory/1748-56-0x0000000000E90000-0x0000000000EA1000-memory.dmpFilesize
68KB
-
memory/1796-4-0x0000000000BE0000-0x0000000000BF1000-memory.dmpFilesize
68KB
-
memory/1796-3-0x0000000000950000-0x00000000009E1000-memory.dmpFilesize
580KB
-
memory/1796-58-0x0000000003DE0000-0x0000000003DF1000-memory.dmpFilesize
68KB
-
memory/1796-59-0x00000000041F0000-0x0000000004201000-memory.dmpFilesize
68KB
-
memory/1796-60-0x0000000003DE0000-0x0000000003DF1000-memory.dmpFilesize
68KB
-
memory/1952-32-0x0000000000BD0000-0x0000000000BE1000-memory.dmpFilesize
68KB
-
memory/1952-31-0x0000000000989000-0x000000000098A000-memory.dmpFilesize
4KB