E214.tmp.exe

General
Target

E214.tmp.exe

Filesize

818KB

Completed

12-05-2020 11:24

Score
10 /10
MD5

eb6c5d9f2aeed5e494370f4d28a0307b

SHA1

bf3d7db88f44c7440e81dd96b83b70038e88e3f5

SHA256

fafa82e7a61c1a516bb83c19d0e5ffce99eac17d34bb9280da34c515e1279653

Malware Config

Extracted

Path C:\_readme.txt
Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-PHmSJZS9ey Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpmanager@mail.ch Reserve e-mail address to contact us: restoremanager@firemail.cc Your personal ID: 0225yiuduy6S5dcnlKQ98kXDvxgsXzukMEM5f3xFKfqIWvhqUxfWVb
Emails

helpmanager@mail.ch

restoremanager@firemail.cc

URLs

https://we.tl/t-PHmSJZS9ey

Signatures 17

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Suspicious behavior: EnumeratesProcesses
    E214.tmp.exeE214.tmp.exepowershell.exepowershell.exepowershell.exe5.exeE214.tmp.exe

    Reported IOCs

    pidprocess
    1520E214.tmp.exe
    1796E214.tmp.exe
    1624powershell.exe
    1624powershell.exe
    1624powershell.exe
    1856powershell.exe
    1856powershell.exe
    1824powershell.exe
    19525.exe
    19525.exe
    19525.exe
    19525.exe
    1748E214.tmp.exe
    1796E214.tmp.exe
  • Drops file in Drivers directory
    updatewin2.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\drivers\etc\hostsupdatewin2.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exepowershell.exetaskkill.exeAUDIODG.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1624powershell.exe
    Token: SeDebugPrivilege1856powershell.exe
    Token: SeDebugPrivilege1824powershell.exe
    Token: SeDebugPrivilege1592taskkill.exe
    Token: 331748AUDIODG.EXE
    Token: SeIncBasePriorityPrivilege1748AUDIODG.EXE
    Token: 331748AUDIODG.EXE
    Token: SeIncBasePriorityPrivilege1748AUDIODG.EXE
  • Disables Task Manager via registry modification

    Tags

  • Executes dropped EXE
    updatewin1.exeupdatewin2.exeupdatewin1.exe5.exeE214.tmp.exe

    Reported IOCs

    pidprocess
    1144updatewin1.exe
    956updatewin2.exe
    1640updatewin1.exe
    19525.exe
    1748E214.tmp.exe
  • Suspicious use of FindShellTrayWindow
    NOTEPAD.EXE

    Reported IOCs

    pidprocess
    1920NOTEPAD.EXE
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    1920NOTEPAD.EXE
  • Modifies file permissions
    icacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1532icacls.exe
  • Checks for installed software on the system
    5.exe

    Tags

    TTPs

    Query Registry

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName5.exe
    Key enumerated\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName5.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    21ip-api.com
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run entry to start application
    E214.tmp.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\80f457ce-6e3a-4a8f-b143-ac81ecafd120\\E214.tmp.exe\" --AutoStart"E214.tmp.exe
  • Suspicious use of WriteProcessMemory
    E214.tmp.exeE214.tmp.exeupdatewin1.exeupdatewin1.exepowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1520 wrote to memory of 15321520E214.tmp.exeicacls.exe
    PID 1520 wrote to memory of 15321520E214.tmp.exeicacls.exe
    PID 1520 wrote to memory of 15321520E214.tmp.exeicacls.exe
    PID 1520 wrote to memory of 15321520E214.tmp.exeicacls.exe
    PID 1520 wrote to memory of 17961520E214.tmp.exeE214.tmp.exe
    PID 1520 wrote to memory of 17961520E214.tmp.exeE214.tmp.exe
    PID 1520 wrote to memory of 17961520E214.tmp.exeE214.tmp.exe
    PID 1520 wrote to memory of 17961520E214.tmp.exeE214.tmp.exe
    PID 1796 wrote to memory of 11441796E214.tmp.exeupdatewin1.exe
    PID 1796 wrote to memory of 11441796E214.tmp.exeupdatewin1.exe
    PID 1796 wrote to memory of 11441796E214.tmp.exeupdatewin1.exe
    PID 1796 wrote to memory of 11441796E214.tmp.exeupdatewin1.exe
    PID 1796 wrote to memory of 11441796E214.tmp.exeupdatewin1.exe
    PID 1796 wrote to memory of 11441796E214.tmp.exeupdatewin1.exe
    PID 1796 wrote to memory of 11441796E214.tmp.exeupdatewin1.exe
    PID 1796 wrote to memory of 9561796E214.tmp.exeupdatewin2.exe
    PID 1796 wrote to memory of 9561796E214.tmp.exeupdatewin2.exe
    PID 1796 wrote to memory of 9561796E214.tmp.exeupdatewin2.exe
    PID 1796 wrote to memory of 9561796E214.tmp.exeupdatewin2.exe
    PID 1796 wrote to memory of 9561796E214.tmp.exeupdatewin2.exe
    PID 1796 wrote to memory of 9561796E214.tmp.exeupdatewin2.exe
    PID 1796 wrote to memory of 9561796E214.tmp.exeupdatewin2.exe
    PID 1144 wrote to memory of 16401144updatewin1.exeupdatewin1.exe
    PID 1144 wrote to memory of 16401144updatewin1.exeupdatewin1.exe
    PID 1144 wrote to memory of 16401144updatewin1.exeupdatewin1.exe
    PID 1144 wrote to memory of 16401144updatewin1.exeupdatewin1.exe
    PID 1144 wrote to memory of 16401144updatewin1.exeupdatewin1.exe
    PID 1144 wrote to memory of 16401144updatewin1.exeupdatewin1.exe
    PID 1144 wrote to memory of 16401144updatewin1.exeupdatewin1.exe
    PID 1640 wrote to memory of 16241640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 16241640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 16241640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 16241640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 16241640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 16241640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 16241640updatewin1.exepowershell.exe
    PID 1796 wrote to memory of 19521796E214.tmp.exe5.exe
    PID 1796 wrote to memory of 19521796E214.tmp.exe5.exe
    PID 1796 wrote to memory of 19521796E214.tmp.exe5.exe
    PID 1796 wrote to memory of 19521796E214.tmp.exe5.exe
    PID 1640 wrote to memory of 18561640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 18561640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 18561640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 18561640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 18561640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 18561640updatewin1.exepowershell.exe
    PID 1640 wrote to memory of 18561640updatewin1.exepowershell.exe
    PID 1856 wrote to memory of 18241856powershell.exepowershell.exe
    PID 1856 wrote to memory of 18241856powershell.exepowershell.exe
    PID 1856 wrote to memory of 18241856powershell.exepowershell.exe
    PID 1856 wrote to memory of 18241856powershell.exepowershell.exe
    PID 1856 wrote to memory of 18241856powershell.exepowershell.exe
    PID 1856 wrote to memory of 18241856powershell.exepowershell.exe
    PID 1856 wrote to memory of 18241856powershell.exepowershell.exe
    PID 1640 wrote to memory of 10441640updatewin1.exempcmdrun.exe
    PID 1640 wrote to memory of 10441640updatewin1.exempcmdrun.exe
    PID 1640 wrote to memory of 10441640updatewin1.exempcmdrun.exe
    PID 1640 wrote to memory of 10441640updatewin1.exempcmdrun.exe
    PID 1640 wrote to memory of 17681640updatewin1.execmd.exe
    PID 1640 wrote to memory of 17681640updatewin1.execmd.exe
    PID 1640 wrote to memory of 17681640updatewin1.execmd.exe
    PID 1640 wrote to memory of 17681640updatewin1.execmd.exe
    PID 1640 wrote to memory of 17681640updatewin1.execmd.exe
    PID 1640 wrote to memory of 17681640updatewin1.execmd.exe
  • Loads dropped DLL
    E214.tmp.exeupdatewin1.exeupdatewin1.exe5.exe

    Reported IOCs

    pidprocess
    1796E214.tmp.exe
    1144updatewin1.exe
    1144updatewin1.exe
    1144updatewin1.exe
    1796E214.tmp.exe
    1144updatewin1.exe
    1144updatewin1.exe
    1640updatewin1.exe
    1640updatewin1.exe
    1640updatewin1.exe
    1796E214.tmp.exe
    1796E214.tmp.exe
    19525.exe
    19525.exe
    19525.exe
    19525.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks processor information in registry
    5.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\05.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString5.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    1592taskkill.exe
Processes 19
  • C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe"
    Suspicious behavior: EnumeratesProcesses
    Adds Run entry to start application
    Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      Modifies file permissions
      PID:1532
    • C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe" --Admin IsNotAutoStart IsNotTask
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      Loads dropped DLL
      PID:1796
      • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
        "C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe"
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        Loads dropped DLL
        PID:1144
        • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
          "C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe" --Admin
          Executes dropped EXE
          Suspicious use of WriteProcessMemory
          Loads dropped DLL
          PID:1640
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of WriteProcessMemory
            PID:1856
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              PID:1824
          • C:\Program Files\Windows Defender\mpcmdrun.exe
            "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
            PID:1044
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
            PID:1768
      • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe
        "C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe"
        Drops file in Drivers directory
        Executes dropped EXE
        PID:956
      • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe
        "C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe"
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Checks for installed software on the system
        Loads dropped DLL
        Checks processor information in registry
        PID:1952
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe & exit
          PID:1840
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im 5.exe /f
            Suspicious use of AdjustPrivilegeToken
            Kills process with taskkill
            PID:1592
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {7EC98CF2-FA1A-4AF7-9E2B-F6A1BDDA3BCF} S-1-5-21-910373003-3952921535-3480519689-1000:DJRWGDLZ\Admin:Interactive:[1]
    PID:1596
    • C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe
      C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe --Task
      Suspicious behavior: EnumeratesProcesses
      Executes dropped EXE
      PID:1748
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    PID:1552
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4f0
    Suspicious use of AdjustPrivilegeToken
    PID:1748
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt
    Suspicious use of FindShellTrayWindow
    Opens file in notepad (likely ransom note)
    PID:1920
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe

                • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe

                • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe

                • C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe

                • C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e331f9c7-6ec8-40f5-b318-7a4a05eb497d

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

                • C:\Users\Admin\AppData\Local\Temp\delself.bat

                • C:\Users\Admin\AppData\Local\script.ps1

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                • C:\_readme.txt

                • \ProgramData\mozglue.dll

                • \ProgramData\msvcp140.dll

                • \ProgramData\nss3.dll

                • \ProgramData\vcruntime140.dll

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe

                • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe

                • memory/956-19-0x0000000001DB0000-0x0000000001DC1000-memory.dmp

                • memory/956-25-0x000000000030F000-0x0000000000310000-memory.dmp

                • memory/1144-12-0x00000000020F0000-0x0000000002101000-memory.dmp

                • memory/1144-13-0x00000000005F0000-0x00000000005F1000-memory.dmp

                • memory/1520-0-0x00000000002D0000-0x0000000000361000-memory.dmp

                • memory/1520-1-0x0000000000CE0000-0x0000000000CF1000-memory.dmp

                • memory/1640-24-0x0000000000342000-0x0000000000343000-memory.dmp

                • memory/1640-23-0x0000000001D40000-0x0000000001D51000-memory.dmp

                • memory/1748-55-0x0000000000220000-0x00000000002B1000-memory.dmp

                • memory/1748-56-0x0000000000E90000-0x0000000000EA1000-memory.dmp

                • memory/1796-4-0x0000000000BE0000-0x0000000000BF1000-memory.dmp

                • memory/1796-3-0x0000000000950000-0x00000000009E1000-memory.dmp

                • memory/1796-58-0x0000000003DE0000-0x0000000003DF1000-memory.dmp

                • memory/1796-59-0x00000000041F0000-0x0000000004201000-memory.dmp

                • memory/1796-60-0x0000000003DE0000-0x0000000003DF1000-memory.dmp

                • memory/1952-31-0x0000000000989000-0x000000000098A000-memory.dmp

                • memory/1952-32-0x0000000000BD0000-0x0000000000BE1000-memory.dmp