Analysis
-
max time kernel
145s -
max time network
114s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
27-04-2020 03:04
Static task
static1
Behavioral task
behavioral1
Sample
F820.tmp.exe
Resource
win7v200410
Behavioral task
behavioral2
Sample
F820.tmp.exe
Resource
win10v200410
General
-
Target
F820.tmp.exe
-
Size
813KB
-
MD5
42e683f3f24484bd47f079b114002571
-
SHA1
4a7840d449e1454561a34c49f7d91224ef892e2c
-
SHA256
ce90d07b63358dc14f246849d5a04b41692c849cdd2de04c2dc8b0e161a45b3e
-
SHA512
fff26cf5458487b88872f5150cf3ee10a2d6b6a94a16e05daf672fb7407c0e417d8477b0d8a5ab96f417669c16149bea98a8075ab7609379cce7006a5be69c8f
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 77 IoCs
Processes:
F820.tmp.exeF820.tmp.exeupdatewin1.exeupdatewin1.exepowershell.exedescription pid process target process PID 2024 wrote to memory of 1640 2024 F820.tmp.exe icacls.exe PID 2024 wrote to memory of 1640 2024 F820.tmp.exe icacls.exe PID 2024 wrote to memory of 1640 2024 F820.tmp.exe icacls.exe PID 2024 wrote to memory of 1640 2024 F820.tmp.exe icacls.exe PID 2024 wrote to memory of 996 2024 F820.tmp.exe F820.tmp.exe PID 2024 wrote to memory of 996 2024 F820.tmp.exe F820.tmp.exe PID 2024 wrote to memory of 996 2024 F820.tmp.exe F820.tmp.exe PID 2024 wrote to memory of 996 2024 F820.tmp.exe F820.tmp.exe PID 996 wrote to memory of 1748 996 F820.tmp.exe updatewin1.exe PID 996 wrote to memory of 1748 996 F820.tmp.exe updatewin1.exe PID 996 wrote to memory of 1748 996 F820.tmp.exe updatewin1.exe PID 996 wrote to memory of 1748 996 F820.tmp.exe updatewin1.exe PID 996 wrote to memory of 1748 996 F820.tmp.exe updatewin1.exe PID 996 wrote to memory of 1748 996 F820.tmp.exe updatewin1.exe PID 996 wrote to memory of 1748 996 F820.tmp.exe updatewin1.exe PID 1748 wrote to memory of 1780 1748 updatewin1.exe updatewin1.exe PID 1748 wrote to memory of 1780 1748 updatewin1.exe updatewin1.exe PID 1748 wrote to memory of 1780 1748 updatewin1.exe updatewin1.exe PID 1748 wrote to memory of 1780 1748 updatewin1.exe updatewin1.exe PID 1748 wrote to memory of 1780 1748 updatewin1.exe updatewin1.exe PID 1748 wrote to memory of 1780 1748 updatewin1.exe updatewin1.exe PID 1748 wrote to memory of 1780 1748 updatewin1.exe updatewin1.exe PID 996 wrote to memory of 1820 996 F820.tmp.exe updatewin2.exe PID 996 wrote to memory of 1820 996 F820.tmp.exe updatewin2.exe PID 996 wrote to memory of 1820 996 F820.tmp.exe updatewin2.exe PID 996 wrote to memory of 1820 996 F820.tmp.exe updatewin2.exe PID 996 wrote to memory of 1820 996 F820.tmp.exe updatewin2.exe PID 996 wrote to memory of 1820 996 F820.tmp.exe updatewin2.exe PID 996 wrote to memory of 1820 996 F820.tmp.exe updatewin2.exe PID 1780 wrote to memory of 1840 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1840 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1840 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1840 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1840 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1840 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1840 1780 updatewin1.exe powershell.exe PID 996 wrote to memory of 1568 996 F820.tmp.exe 5.exe PID 996 wrote to memory of 1568 996 F820.tmp.exe 5.exe PID 996 wrote to memory of 1568 996 F820.tmp.exe 5.exe PID 996 wrote to memory of 1568 996 F820.tmp.exe 5.exe PID 1780 wrote to memory of 1584 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1584 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1584 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1584 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1584 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1584 1780 updatewin1.exe powershell.exe PID 1780 wrote to memory of 1584 1780 updatewin1.exe powershell.exe PID 1584 wrote to memory of 1164 1584 powershell.exe powershell.exe PID 1584 wrote to memory of 1164 1584 powershell.exe powershell.exe PID 1584 wrote to memory of 1164 1584 powershell.exe powershell.exe PID 1584 wrote to memory of 1164 1584 powershell.exe powershell.exe PID 1584 wrote to memory of 1164 1584 powershell.exe powershell.exe PID 1584 wrote to memory of 1164 1584 powershell.exe powershell.exe PID 1584 wrote to memory of 1164 1584 powershell.exe powershell.exe PID 1780 wrote to memory of 1696 1780 updatewin1.exe mpcmdrun.exe PID 1780 wrote to memory of 1696 1780 updatewin1.exe mpcmdrun.exe PID 1780 wrote to memory of 1696 1780 updatewin1.exe mpcmdrun.exe PID 1780 wrote to memory of 1696 1780 updatewin1.exe mpcmdrun.exe PID 1780 wrote to memory of 1724 1780 updatewin1.exe cmd.exe PID 1780 wrote to memory of 1724 1780 updatewin1.exe cmd.exe PID 1780 wrote to memory of 1724 1780 updatewin1.exe cmd.exe PID 1780 wrote to memory of 1724 1780 updatewin1.exe cmd.exe PID 1780 wrote to memory of 1724 1780 updatewin1.exe cmd.exe PID 1780 wrote to memory of 1724 1780 updatewin1.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 1460 taskkill.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Drops file in Drivers directory 1 IoCs
Processes:
updatewin2.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1460 taskkill.exe -
Makes http(s) request 19 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 15 http://akbz.top/files/penelop/3.exe HTTP URL 20 http://evergladsea.com/517 HTTP URL 20 http://evergladsea.com/freebl3.dll HTTP URL 20 http://evergladsea.com/mozglue.dll HTTP URL 20 http://evergladsea.com/msvcp140.dll HTTP URL 20 http://evergladsea.com/vcruntime140.dll HTTP URL 11 http://akbz.top/files/penelop/updatewin1.exe HTTP URL 12 http://akbz.top/ydtftysdtyftysdfsdpen3/get.php?pid=7FE0677D783F4AD4240B4688EDAACCFA&first=true HTTP URL 31 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 22 http://ip-api.com/line/ HTTP URL 14 http://akbz.top/files/penelop/updatewin.exe HTTP URL 20 http://evergladsea.com/nss3.dll HTTP URL 20 http://evergladsea.com/ HTTP URL 6 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 9 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 17 http://akbz.top/files/penelop/5.exe HTTP URL 20 http://evergladsea.com/softokn3.dll HTTP URL 13 http://akbz.top/files/penelop/updatewin2.exe HTTP URL 16 http://akbz.top/files/penelop/4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Loads dropped DLL 16 IoCs
Processes:
F820.tmp.exeupdatewin1.exeupdatewin1.exe5.exepid process 996 F820.tmp.exe 1748 updatewin1.exe 1748 updatewin1.exe 1748 updatewin1.exe 1748 updatewin1.exe 1748 updatewin1.exe 1780 updatewin1.exe 1780 updatewin1.exe 1780 updatewin1.exe 996 F820.tmp.exe 996 F820.tmp.exe 996 F820.tmp.exe 1568 5.exe 1568 5.exe 1568 5.exe 1568 5.exe -
Executes dropped EXE 5 IoCs
Processes:
updatewin1.exeupdatewin1.exeupdatewin2.exe5.exeF820.tmp.exepid process 1748 updatewin1.exe 1780 updatewin1.exe 1820 updatewin2.exe 1568 5.exe 700 F820.tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1656 NOTEPAD.EXE -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
F820.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5def4699-2071-43af-b361-72c272756e78\\F820.tmp.exe\" --AutoStart" F820.tmp.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
F820.tmp.exeF820.tmp.exepowershell.exepowershell.exe5.exepowershell.exeF820.tmp.exepid process 2024 F820.tmp.exe 2024 F820.tmp.exe 996 F820.tmp.exe 996 F820.tmp.exe 1840 powershell.exe 1840 powershell.exe 1840 powershell.exe 1584 powershell.exe 1584 powershell.exe 1568 5.exe 1568 5.exe 1568 5.exe 1568 5.exe 1164 powershell.exe 996 F820.tmp.exe 700 F820.tmp.exe 700 F820.tmp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ip-api.com -
Modifies file permissions 1 TTPs 1 IoCs
-
Checks for installed software on the system 1 TTPs 28 IoCs
Processes:
5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName 5.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName 5.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName 5.exe -
Disables Task Manager via registry modification
Processes
-
C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe"C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe"C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe"C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe"3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe"C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe" --Admin4⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"5⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps16⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe"C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe"C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe"3⤵
- Loads dropped DLL
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {969DBEDC-FA5C-43ED-ADFC-B54FB9707DB8} S-1-5-21-3765897441-2376744223-3151462503-1000:BKIWADLA\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exeC:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exe --Task2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe
-
C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exe
-
C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_05471756-4b9c-45e9-8ddd-05fab605d637
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1d59a429-221c-4f91-aca4-cb149fe0cdc3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_20b90e15-f237-499e-a823-6772568bf000
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_37386d62-281a-4a91-a575-6755e45f3238
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5028523d-10aa-4674-b3d1-9db9e7b9fbf6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a24b3c29-8785-47a4-90c7-9951cb5bf055
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b3feaac6-0199-4ad4-87ff-a4b7cbd02223
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
-
C:\Users\Admin\AppData\Local\Temp\delself.bat
-
C:\Users\Admin\AppData\Local\script.ps1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
-
C:\_readme.txt
-
\ProgramData\mozglue.dll
-
\ProgramData\msvcp140.dll
-
\ProgramData\nss3.dll
-
\ProgramData\vcruntime140.dll
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
-
\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe
-
memory/700-928-0x00000000045B0000-0x00000000045C1000-memory.dmpFilesize
68KB
-
memory/700-927-0x0000000002D30000-0x0000000002DC1000-memory.dmpFilesize
580KB
-
memory/996-3-0x0000000000320000-0x00000000003B1000-memory.dmpFilesize
580KB
-
memory/996-59-0x0000000005DB0000-0x0000000005DC1000-memory.dmpFilesize
68KB
-
memory/996-57-0x00000000061C0000-0x00000000061D1000-memory.dmpFilesize
68KB
-
memory/996-56-0x0000000005DB0000-0x0000000005DC1000-memory.dmpFilesize
68KB
-
memory/996-4-0x0000000004770000-0x0000000004781000-memory.dmpFilesize
68KB
-
memory/1568-32-0x0000000000B70000-0x0000000000B81000-memory.dmpFilesize
68KB
-
memory/1568-31-0x000000000030A000-0x000000000030B000-memory.dmpFilesize
4KB
-
memory/1748-12-0x0000000002000000-0x0000000002011000-memory.dmpFilesize
68KB
-
memory/1748-13-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/1780-20-0x0000000001FB0000-0x0000000001FC1000-memory.dmpFilesize
68KB
-
memory/1780-23-0x0000000000512000-0x0000000000513000-memory.dmpFilesize
4KB
-
memory/1820-25-0x000000000059F000-0x00000000005A0000-memory.dmpFilesize
4KB
-
memory/1820-24-0x0000000001F30000-0x0000000001F41000-memory.dmpFilesize
68KB
-
memory/2024-0-0x0000000000300000-0x0000000000391000-memory.dmpFilesize
580KB
-
memory/2024-1-0x00000000045B0000-0x00000000045C1000-memory.dmpFilesize
68KB