70BC.tmp.exe

General
Target

70BC.tmp.exe

Filesize

676KB

Completed

13-07-2020 11:02

Score
10 /10
MD5

07566fb66073abafbd438f08fa1c7245

SHA1

e73eed815412a3cb1929add64b3ba7639006eb2e

SHA256

6eb60af3c1f6688fee7286b384fd107552bdf95dc951101df4a1d4f861623134

Malware Config

Extracted

Path C:\_readme.txt
Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-q9ro1midUb Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpmanager@mail.ch Reserve e-mail address to contact us: restoremanager@airmail.cc Your personal ID: 0240regyjnkjddrtgjAPJNEQoue2941bbvln0FlNgqZ8mrbh5FmCQGfK
Emails

helpmanager@mail.ch

restoremanager@airmail.cc

URLs

https://we.tl/t-q9ro1midUb

Signatures 17

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Suspicious use of WriteProcessMemory
    70BC.tmp.exe70BC.tmp.exe5.execmd.exeupdatewin1.exeupdatewin1.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1492 wrote to memory of 2120149270BC.tmp.exeicacls.exe
    PID 1492 wrote to memory of 2120149270BC.tmp.exeicacls.exe
    PID 1492 wrote to memory of 2120149270BC.tmp.exeicacls.exe
    PID 1492 wrote to memory of 2204149270BC.tmp.exe70BC.tmp.exe
    PID 1492 wrote to memory of 2204149270BC.tmp.exe70BC.tmp.exe
    PID 1492 wrote to memory of 2204149270BC.tmp.exe70BC.tmp.exe
    PID 2204 wrote to memory of 3776220470BC.tmp.exeupdatewin1.exe
    PID 2204 wrote to memory of 3776220470BC.tmp.exeupdatewin1.exe
    PID 2204 wrote to memory of 3776220470BC.tmp.exeupdatewin1.exe
    PID 2204 wrote to memory of 4024220470BC.tmp.exeupdatewin2.exe
    PID 2204 wrote to memory of 4024220470BC.tmp.exeupdatewin2.exe
    PID 2204 wrote to memory of 4024220470BC.tmp.exeupdatewin2.exe
    PID 2204 wrote to memory of 3944220470BC.tmp.exe5.exe
    PID 2204 wrote to memory of 3944220470BC.tmp.exe5.exe
    PID 2204 wrote to memory of 3944220470BC.tmp.exe5.exe
    PID 3944 wrote to memory of 164839445.execmd.exe
    PID 3944 wrote to memory of 164839445.execmd.exe
    PID 3944 wrote to memory of 164839445.execmd.exe
    PID 1648 wrote to memory of 15001648cmd.exetaskkill.exe
    PID 1648 wrote to memory of 15001648cmd.exetaskkill.exe
    PID 1648 wrote to memory of 15001648cmd.exetaskkill.exe
    PID 3776 wrote to memory of 35683776updatewin1.exeupdatewin1.exe
    PID 3776 wrote to memory of 35683776updatewin1.exeupdatewin1.exe
    PID 3776 wrote to memory of 35683776updatewin1.exeupdatewin1.exe
    PID 3568 wrote to memory of 34363568updatewin1.exepowershell.exe
    PID 3568 wrote to memory of 34363568updatewin1.exepowershell.exe
    PID 3568 wrote to memory of 34363568updatewin1.exepowershell.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    1012NOTEPAD.EXE
  • Checks for installed software on the system
    5.exe

    Tags

    TTPs

    Query Registry

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName5.exe
    Key enumerated\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName5.exe
    Key opened\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName5.exe
  • Drops file in Drivers directory
    updatewin2.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\drivers\etc\hostsupdatewin2.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    20ip-api.com
  • Modifies file permissions
    icacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    2120icacls.exe
  • Suspicious behavior: EnumeratesProcesses
    70BC.tmp.exe70BC.tmp.exe5.exeWerFault.exe70BC.tmp.exe

    Reported IOCs

    pidprocess
    149270BC.tmp.exe
    149270BC.tmp.exe
    220470BC.tmp.exe
    220470BC.tmp.exe
    39445.exe
    39445.exe
    39445.exe
    39445.exe
    39445.exe
    39445.exe
    39445.exe
    39445.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    2996WerFault.exe
    146470BC.tmp.exe
    146470BC.tmp.exe
    220470BC.tmp.exe
    220470BC.tmp.exe
  • Executes dropped EXE
    updatewin1.exeupdatewin2.exe5.exeupdatewin1.exe70BC.tmp.exe

    Reported IOCs

    pidprocess
    3776updatewin1.exe
    4024updatewin2.exe
    39445.exe
    3568updatewin1.exe
    146470BC.tmp.exe
  • Loads dropped DLL
    5.exe

    Reported IOCs

    pidprocess
    39445.exe
    39445.exe
  • Suspicious use of AdjustPrivilegeToken
    taskkill.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1500taskkill.exe
    Token: SeRestorePrivilege2996WerFault.exe
    Token: SeBackupPrivilege2996WerFault.exe
    Token: SeDebugPrivilege2996WerFault.exe
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    1500taskkill.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Modifies system certificate store
    70BC.tmp.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E70BC.tmp.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd70BC.tmp.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    29963436WerFault.exepowershell.exe
  • Checks processor information in registry
    5.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\05.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString5.exe
  • Adds Run entry to start application
    70BC.tmp.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\\70BC.tmp.exe\" --AutoStart"70BC.tmp.exe
Processes 14
  • C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe"
    Suspicious use of WriteProcessMemory
    Suspicious behavior: EnumeratesProcesses
    Modifies system certificate store
    Adds Run entry to start application
    PID:1492
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      Modifies file permissions
      PID:2120
    • C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe" --Admin IsNotAutoStart IsNotTask
      Suspicious use of WriteProcessMemory
      Suspicious behavior: EnumeratesProcesses
      PID:2204
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe
        "C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe"
        Suspicious use of WriteProcessMemory
        Executes dropped EXE
        PID:3776
        • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe
          "C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe" --Admin
          Suspicious use of WriteProcessMemory
          Executes dropped EXE
          PID:3568
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
            PID:3436
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 668
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              Program crash
              PID:2996
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe
        "C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe"
        Drops file in Drivers directory
        Executes dropped EXE
        PID:4024
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe
        "C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe"
        Suspicious use of WriteProcessMemory
        Checks for installed software on the system
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        PID:3944
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe & exit
          Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im 5.exe /f
            Suspicious use of AdjustPrivilegeToken
            Kills process with taskkill
            PID:1500
  • C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe
    C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe --Task
    Suspicious behavior: EnumeratesProcesses
    Executes dropped EXE
    PID:1464
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    PID:1144
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt
    Opens file in notepad (likely ransom note)
    PID:1012
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                • C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe

                • C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe

                • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe

                • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe

                • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe

                • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe

                • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe

                • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe

                • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe

                • C:\_readme.txt

                • \ProgramData\mozglue.dll

                • \ProgramData\nss3.dll

                • memory/1464-297-0x00000000011E0000-0x00000000011E1000-memory.dmp

                • memory/1492-1-0x0000000001280000-0x0000000001281000-memory.dmp

                • memory/1500-242-0x0000000000000000-mapping.dmp

                • memory/1648-241-0x0000000000000000-mapping.dmp

                • memory/2120-2-0x0000000000000000-mapping.dmp

                • memory/2204-298-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

                • memory/2204-6-0x00000000011F0000-0x00000000011F1000-memory.dmp

                • memory/2204-4-0x0000000000000000-mapping.dmp

                • memory/2204-299-0x00000000042F0000-0x00000000042F1000-memory.dmp

                • memory/2204-300-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

                • memory/2996-290-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

                • memory/2996-279-0x0000000004C80000-0x0000000004C81000-memory.dmp

                • memory/2996-274-0x0000000004C80000-0x0000000004C81000-memory.dmp

                • memory/2996-270-0x0000000004C80000-0x0000000004C81000-memory.dmp

                • memory/2996-261-0x0000000004C80000-0x0000000004C81000-memory.dmp

                • memory/2996-260-0x0000000004C80000-0x0000000004C81000-memory.dmp

                • memory/2996-289-0x0000000004D80000-0x0000000004D81000-memory.dmp

                • memory/2996-250-0x0000000004680000-0x0000000004681000-memory.dmp

                • memory/2996-251-0x0000000004680000-0x0000000004681000-memory.dmp

                • memory/2996-253-0x0000000004680000-0x0000000004681000-memory.dmp

                • memory/2996-281-0x0000000004C80000-0x0000000004C81000-memory.dmp

                • memory/3436-254-0x0000000000000000-mapping.dmp

                • memory/3436-256-0x0000000000000000-mapping.dmp

                • memory/3436-257-0x0000000000000000-mapping.dmp

                • memory/3436-258-0x0000000000000000-mapping.dmp

                • memory/3436-259-0x0000000000000000-mapping.dmp

                • memory/3436-285-0x0000000000000000-mapping.dmp

                • memory/3436-287-0x0000000000000000-mapping.dmp

                • memory/3436-286-0x0000000000000000-mapping.dmp

                • memory/3436-283-0x0000000000000000-mapping.dmp

                • memory/3436-288-0x0000000000000000-mapping.dmp

                • memory/3436-255-0x0000000000000000-mapping.dmp

                • memory/3436-249-0x0000000000000000-mapping.dmp

                • memory/3436-284-0x0000000000000000-mapping.dmp

                • memory/3568-248-0x00000000004D4000-0x00000000004D7000-memory.dmp

                • memory/3568-246-0x00000000020B0000-0x00000000020B1000-memory.dmp

                • memory/3568-244-0x0000000000000000-mapping.dmp

                • memory/3776-243-0x000000000048E000-0x000000000048F000-memory.dmp

                • memory/3776-9-0x0000000000000000-mapping.dmp

                • memory/3776-12-0x0000000002000000-0x0000000002001000-memory.dmp

                • memory/3944-17-0x0000000000000000-mapping.dmp

                • memory/3944-20-0x0000000000F25000-0x0000000000F26000-memory.dmp

                • memory/3944-21-0x0000000001210000-0x0000000001211000-memory.dmp

                • memory/4024-247-0x000000000065E000-0x000000000065F000-memory.dmp

                • memory/4024-16-0x00000000020E0000-0x00000000020E1000-memory.dmp

                • memory/4024-13-0x0000000000000000-mapping.dmp