Malware Analysis Report

2024-09-11 05:59

Sample ID 240529-r5w6zaae24
Target Itachi14.exe
SHA256 a1e14a5e8c81492585b8ad41bc7aea4a3200661d06ffcfb8ac633770d94316df
Tags
bootkit discovery evasion exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1e14a5e8c81492585b8ad41bc7aea4a3200661d06ffcfb8ac633770d94316df

Threat Level: Known bad

The file Itachi14.exe was found to be: Known bad.

Malicious Activity Summary

bootkit discovery evasion exploit persistence trojan

Modifies WinLogon for persistence

UAC bypass

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Possible privilege escalation attempt

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
File and Directory Permissions Modification
T1222
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-29 14:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 14:47

Reported

2024-05-29 14:49

Platform

win7-20240221-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Itachi14.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Detroy" C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\MBR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MBR.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Windows\System32\MBR.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\MBR.exe C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\darkpcm.wav C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423155934" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000405d80a64b8c2440a29c19b8be8e7989000000000200000000001066000000010000200000002a364db4f0a024a910328e957ddbc136658acddca02f4c6863b8c8c99876702f000000000e8000000002000020000000719a9d97d8e969f3154ccf96032bf24f1f5d4009a3d282635b6c03807991490d20000000dd371541c588adc4241419c24b23e0be2093a3e575f1a724185d5871dad08faf40000000e24f7236fcad41399ca8cccc67183009e6f3e5b601602cf1cff586edc71cdf315114bfcbde6e50895aa5118e9c1bf193bcbb954ca84c2accc66338c2d3abfad8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000405d80a64b8c2440a29c19b8be8e798900000000020000000000106600000001000020000000932d25d7da5d194eac060331865d4987e2565d2617dd1d3ad5e34841923327f6000000000e800000000200002000000062c53b753eee069e4e751e1aeae7e3e55f98cd0ade8f6f8f9532d2b4d19e328d900000009507b93d3f0904128c9fe5f7a1258dbcfa35f5710c48942703cdc2fa8fd21948af29c62e76848b5c6b6cfc2530a450270cbc986216b0e7a00601f335bcb7938ab4dff6d6040338047d8beae0c18036a242c0371da4c6dd62bd8ffecb08c6b3c2ed2187d6b7fda3242b1a41d736e7651a5aed7c68416cfafaa1edb1d3856e5cfb0e1de9ef490f0d9b63aeaf830b0f8f4440000000479da2917635568e9042b214885e4f3476ecdcbc5cdda513b157b77ec5016236b776766f5551d7551e60e45510714c2dd7f5355c552f88cc922f98eed5f0273f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000405d80a64b8c2440a29c19b8be8e7989000000000200000000001066000000010000200000006411a1b356cd1361ab5eab12630892e25f0b599d468b9911396a4c1dbcff4e3b000000000e8000000002000020000000735f30c5b22159a9df14418e9bc22d288e54080c8c6ae6aade41a5c5bd5de64310020000b2207e8d5dafad867bf475dcbfad33b5cc733385054e713d080374fecfabd9662d930d87fce49760f65907efb79b04879580ba3d58dc9266dab09666f628fb1d796352b706ec3c151d4f1551c13d7d31c5f5c40f22842ed9fb32259e9ccb7ccef795207dc383a12c1c6d34328cfdc205dc031d64d7fcf9a0be127da0c4e8dc24b4e743735983c2dea0d6dd10b673f3c4c4a89f80a953e938d672217942df475b5547941c59a04db6a8fb2c03a49a76b511fcde068160bbe404ee40dab3af39467e57e996f6b0627245fc72626b5e2ffe832eefac1f46a923616728fea76f5133ff5596b899d1fb96eb1d027151a8c8415ae4dcc60016a292d6f09043d45d22272226b2b92debe792a9b347d2edc1d235218adc5b2768a01469791388fc4e47a16d00163543af033bdb67b3fce7369581241640b7962b725a381712482dbf656e44ae41669be9b9a919e0252ed360263277600c493b6c76402ef3618e807eeca4d055b69f235b666536501f64b56cfb7bc254f52ca709cd5e04d6ef78e3165bb9e7014783628c88468198cd4f4052c2607eab741a302d8f013f1fed896dda6f9ba9bf4d364afe5ea559b695423e9f51e0d3c040e8de3ea081cd4b62684a1e1ac555023852717f70cc46348ade9f699c948356056ab92709e74354c7d9a6352d4ce87b008766da92d5209884151b9bcbd0511ca7dff6d745086a570674f77a3f8940907a134b8b51ef34f58954ef2a6d9d40000000cb61f7552206121255bd77dfbca1c5c1dc60af337194dcd6973dfbf87338a1f2548292ebf519d1770084bcac4772bab7c2248a4d99ea3731e7fe0a85ee21105c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68064F51-1DCA-11EF-B35F-5267BFD3BAD1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0c07231d7b1da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\system32\NOTEPAD.EXE
PID 2148 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\system32\NOTEPAD.EXE
PID 2148 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\system32\NOTEPAD.EXE
PID 2148 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\cmd.exe
PID 2148 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\cmd.exe
PID 2148 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\cmd.exe
PID 2788 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2788 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2788 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2788 wrote to memory of 2856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2788 wrote to memory of 2856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2788 wrote to memory of 2856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2148 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\MBR.exe
PID 2148 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\MBR.exe
PID 2148 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\MBR.exe
PID 2148 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\MBR.exe
PID 2868 wrote to memory of 2492 N/A C:\Windows\System32\MBR.exe C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe
PID 2868 wrote to memory of 2492 N/A C:\Windows\System32\MBR.exe C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe
PID 2868 wrote to memory of 2492 N/A C:\Windows\System32\MBR.exe C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe
PID 2868 wrote to memory of 2492 N/A C:\Windows\System32\MBR.exe C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe
PID 2148 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2148 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2148 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2728 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2696 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 1924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 1924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 1924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 1924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2640 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2728 wrote to memory of 2856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2148 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\system32\WerFault.exe
PID 2148 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\system32\WerFault.exe
PID 2148 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\system32\WerFault.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Itachi14.exe

"C:\Users\Admin\AppData\Local\Temp\Itachi14.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Videos\Note.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

C:\Windows\System32\MBR.exe

"C:\Windows\System32\MBR.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/c/10GTech

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:668677 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:406544 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275485 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:603170 /prefetch:2

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2148 -s 1284

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
FR 216.58.214.174:443 consent.youtube.com tcp
FR 216.58.214.174:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
FR 216.58.214.174:443 consent.youtube.com tcp
FR 216.58.214.174:443 consent.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
FR 216.58.214.174:443 consent.youtube.com tcp
FR 216.58.214.174:443 consent.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
FR 216.58.214.174:443 consent.youtube.com tcp
FR 216.58.214.174:443 consent.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
FR 216.58.214.174:443 consent.youtube.com tcp
FR 216.58.214.174:443 consent.youtube.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
FR 216.58.214.174:443 consent.youtube.com tcp
FR 216.58.214.174:443 consent.youtube.com tcp

Files

memory/2148-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

memory/2148-1-0x0000000000A10000-0x0000000000DCE000-memory.dmp

memory/2148-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

C:\Users\Admin\Videos\Note.txt

MD5 f9a3021079230ae092939240aa8bf586
SHA1 9c8f705d468bbac25e6e3d5acda59fe18a2f5b10
SHA256 88ac0a64c577c26fceabf42c104cac21df3e861743f144d9dd881877082617ea
SHA512 f1291e2e5910e7e20f77bbd9285ea6751f3b99e7ef2a6827f9233fde31e4828026e09ff374c8455057efec20e6ec06ddff9abe11ae62b07fa0a80c5871afa9d0

C:\Windows\System32\MBR.exe

MD5 298749b226539c7fbd902d48e569eb0f
SHA1 a20706bdd4d0fbaf1a109fd5519c154270a3a6fc
SHA256 dcf2180004efebe41e00b057234df218c1c05f0add1509125a9724f125a30f97
SHA512 185ef5cbf21179dab8d0c2fa3962695a7b2305acb29a1b77fe291965ab541c12ddd354eca05dc75b1c59851fd3742cc0183209908f320afae77e8c67765ade40

C:\Program Files\darkpcm.wav

MD5 42fd98add941a9eaad60d02567ad6ce6
SHA1 22889f394658cf25af344ff76ba6d93e939f7e2c
SHA256 5127d449b33156073e314cb774949d433341ea84238f14de598f82359e52e6fb
SHA512 562b88a37e5c070d213c942a8cc074437c5adeaa6a7e9725e661ff0f70e19a8a1e0397f6f1f6796e813c45dd8f0d499078a88e3450939993c22f7fe705782354

\Users\Admin\AppData\Local\Temp\._cache_MBR.exe

MD5 15ab83fb10ce58353ab3f206990e698a
SHA1 54be6c19063a68d385eb3d7ba64a812b95ccb438
SHA256 a369873db29763760ff3031ccc46505fd8ea715a4ade7e05ef503b32627d949c
SHA512 e2ca16f2ac5ad4e989b01ea356d422efc69a0b6f7497ee8e74ed2b4af224f549fa9d4a4ce5e8f5888ea5c63572b72e5f51dfe78ef143b2c7452e3612c13d1aca

memory/2492-36-0x0000000000370000-0x0000000000388000-memory.dmp

memory/2492-48-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2148-134-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

memory/2868-173-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/2148-175-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

MD5 ab0d016d292fdc6958c38ca97106aa19
SHA1 f1888a1a6b17cc09ed48bf9f05fdf79768909b45
SHA256 29a58fbce385696bc0cf6f22967bf57ed417dede96c783d4765dbaeac8251b16
SHA512 af1a5f2f6e2889318940c76bd0f19daa3b27117091a12ed7e567473f05606ece355b2a5e0453e1a2205549272ac1611c7b6830368a1398c7a01eea38bf854e6f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MJ7XPDW8.txt

MD5 81e293836e4e63ac2b5ad788d5d56d0b
SHA1 80a1c31ed77631750927ea0b72c717d835085efb
SHA256 84ace8165fffd53b030ddfce651bbd8e5d1c711a2d0bba802945a5d45ee8ce01
SHA512 c8b663cc7723f0f716cf990eeb070f3907cf8bafc077ee4e466a31ec56989af2ddce9e354dd615ddc80a5c8fa75e665678fc600b3ed612766d308c0f77e0c19a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326

MD5 d82ced00a9448e6a52a4d9ba38910093
SHA1 f664630d701838c853ec2a5a99f07b1686c65ec6
SHA256 878b08b8ced2e4815ca11ce8b5d27f4c3122fb7aaca52f21bf9f3550fb901f3e
SHA512 7751a165cf7fe113cb496ed0bef7799fede05833e3ad35691ab6f0db7b333a759dbb5f67eee05c3796e49be500ad4d8487569590ac2e030f8de6c89db63a7568

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea7ff611e13828bd2cc4ace9310db641
SHA1 ecaaa10960adbbc438ac63742346dedc2b25bb50
SHA256 e43b737240c0cc7f78718aae6af39cf2bab2def098114cfac12c373c8b17470d
SHA512 1ce3aa7ddb66edef99fef2c34d767dd8f76d8b2e183dff1bdfe8da84557a4930ca67e5e3c3174a64315b85d64006bcf8765e7d9d8fbacfd4a2c343245d1900e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326

MD5 7f79b8ca25f36b112c85e37957a9fe4b
SHA1 11d58e0e9bf12dfb700a1d564800ecb8589b36a1
SHA256 2a2577b3b67a5d3ff3cea62e935de9647711af16c2a9dab7691aafc61b2b49cf
SHA512 8611c4776feff8c682d68c961e693c371ee3ba1c592fe2f4a331bff17a008ec38ac9be910abbf2e8d8851e7a68527ccd46b4a33e7966bcf4f666b7ea3c612b0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 d859f89b3330527bb0e5146b0267d851
SHA1 63bb78e2543739c808d0e10c6748b720132806c8
SHA256 c424ce92a84963e21481351d0f47d6eee7d63d80b346ddeb90e5e4d0cca43c89
SHA512 0053576183dc98a8a4e3722aa6ce4258901adb26a098ee6d944dce9553ac3c30aae562a7868a2be42f6734dd49b7ddbf80572f27749805f46a692dee3ca075d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6c93f60553415802769aea371043b2a5
SHA1 77d4fae422f2f5af9d6fbcfacf877a5a35a85d1c
SHA256 bfcb18fa2ee3598fdff75b1ecc932c926f011bff60edfa141c41976499c821c5
SHA512 ca99fb34beb68dd3e2169edc3c30f964702e209439b4f37b292d6f5e39e1361eeb3251201faf9aa4789db66c23e5d55043a4e9a37e2ea4f319d2cd2951ccd965

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2540a4f54fbbeaf5ca3ba84f5ec5e2ca
SHA1 28764fcfb14ba8ac9b436091bbd6b3e1277596ba
SHA256 712c9cf69d59a21d14de555416f7b9b8846f54c3dda4b6db8109cbc22c9069ab
SHA512 50cc891068fa04d51f5e2ec286b11eaa27e48fef0c6b012e24e9d6acbc8bb66c685cbe3a12d675582570c0226136c69531d45bc4df359348ea07385ff16eaca5

C:\Users\Admin\AppData\Local\Temp\Cab5A7F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\cb_yt_logo_d_header_118x26_4dfe7c3d17767ffd2294ae90fb54337e[1].png

MD5 4dfe7c3d17767ffd2294ae90fb54337e
SHA1 96c73d9e4bde69ad9acf4784a6b003b52fe7c425
SHA256 c3f5f62e9e8d3cfc0dbb528ce61a903916618dca4529a84623b4383d89158163
SHA512 38c113640c31a66f7d34963a3913cf7075bcdb371d4de4efaa37e8cd1313c12e49988368c301b9c770c64eed80db4600e647cdea1a482cde1d78c4737084223a

C:\Users\Admin\AppData\Local\Temp\Tar5EF4.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar60FF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d5fdc8ee598ce71888d7f016abca1d6
SHA1 a11b276b44162039a470d06cf0964211182ccf37
SHA256 fedba9bed6f53b21416ee12a1a514a61dbc6af4909352983f9d33f6d414fc096
SHA512 bc72a8c76505edee06930db0df497325be478bc664e9a4d7e7c4e540a8111902af7296416aa143ecc0475689185b27286cc567f885450692dc7bce1bd4ea6603

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 914fc19e223d4dd11124585678548e01
SHA1 f508250c4ee3bf4eaa628c552dc8ab27036c88b4
SHA256 f9260fe4d544fa1047e63a17f50685a06bd6186ccf8b8830be41573863eec407
SHA512 062f56d7ea9e1b56ab0149d6d9dc11d79eb1c439ba8e019fc44320de2210dc6864842cf53eb45342cb294dc0d8e9b1cfbaeed2fb38460cec225beed024b4b44e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b79940d854ef7c7f9a4ac6c66f9752f4
SHA1 3ace53714dfbf761edbf49de0c52fedd77876f47
SHA256 825a20b26b52bba4e279305633a84e5e55a374a0db07e53ceb2a64f1edd85634
SHA512 b48014ac4e8587e6e0bd0999f45c33b2389e7bcba5ed0ecf9f4f5a1466ef7a855bf99e6a6ff5d4e30e85e651ec95c3aaca522ba19f974dd3db38035abd8caa31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b34b819cbed5de096dad4b48688d1157
SHA1 1c724605c429c4e4e1af76e5dedc5038e7d13527
SHA256 dc607edbec520d5f3654298d831ed85a42f738342b910568090a57be135b4dd9
SHA512 b08015f29e16b460cf1a219371ad5263036911a3ec63917f6a578f64c68a0edea5e9b10ec7dc592607bd3d2660fb276c575fb2e3310b8574a955a970d0f9a43b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ca861c0229341c5761748f61bc85fe5
SHA1 d5b5615520a919ef394e3fa117763120198d612a
SHA256 2505af6b9347910867e9f7eb78a2eb765a176bb2509a7c7d0bb78c10911957fb
SHA512 33e4aeb9fe303a9225e2e9bc001fcb79dc3e1ac3bf39a98219408b8e61e45041c7902539377b8792da15b992d8821d5fcd53a958d2b5765a7335e0417f60de06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6f722c069e41ed8c7fb096fa065c652
SHA1 de462825736aeada0135d38101cd2e542e09b4fe
SHA256 ae5ad0043e612bd2fcb1bb5899cb4c12da3887bbf44b9b5c5420ec0cffeadf49
SHA512 fb4d2c68982388fc5d524b8ea429cf75a92aa54d1dcc7af719353ef33e2dbf024f2d4dd66de81d7077bfa7efaf1ba9cfe8ffd2c0a25756c91f7149d24fa8614a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c3c4ec1dc43d685dce02f87b82fe7e0
SHA1 39f41f34b9bec18bc792cf4832d6e458c12657ce
SHA256 0dd57f0ecf887cd25e9282641a55acd17d7efeb1b3af3020cefbf7adee160ca7
SHA512 2f294160cbc2080acf527ec2145e9a0062d8dca183cf1c75461f2a3d202fd2b645a46fca8db2244a884c846b83ec4833382ef7afac694c04823ffec466fc2120

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ce1774993d44994ff33cfd87b9afc3d
SHA1 621dd4bd6b7d78110e1042e460d0fb5495e0f2b0
SHA256 e191feb7d713fe3cea1f108dcfc158d4fa1eb3ef2e5fd57dfa2f9ba4a39274f9
SHA512 6ec39b018bc544aa2d635b9696eb31d204d169e4c23b6664e0945fdc999602f7856e1d871624e2252bb1f19d93505f5152b6abe70b6360fc3895ee047bedd251

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2XHCI2JN.txt

MD5 5a22b5350a5c90a2dfc501f83733408f
SHA1 d7f71863975c438d9c51a7aea61aab3cc6273e53
SHA256 e270897f8600c8061656999e04f17e404bbc122e898a0674a37b82433ceeb2d4
SHA512 bd19af3938aabb6a4ad8e2ba8257c69cf0d3b729060eea3ac7dd0927ecb73cb1022402e0a7fb12bfbf9d4454f669128fc888505f7b39d90c621c9e26505d355b

memory/2868-1073-0x0000000000400000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95a1f7ff8e3f5e689f7788c61d94277f
SHA1 78131a89f169e5484bc208b09902261d7c003a55
SHA256 02f4328aebe8e46fa0ca4dbc5011d2b2fffd2ae0747986b0f56b9c58eb3c6072
SHA512 00fd0efdc2be22936b0dded06d1473734aae7d24d0dc8eb7c8880a1b886ba395c94e908caeae0b5707f98f3eb65c3d3609491b65a2d103d095647a740447d8c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\URXD4QS5.txt

MD5 f39554c989cdf526ccae42909e233c0c
SHA1 fc1df9df632100e28b47c56670bf85d34d447e6f
SHA256 2dbbac18de2fa3d5331f7f9b7ec5af652205c422673e4bb85c02561ccdf7a299
SHA512 6354e968fe02ef43fdda8a025e807526a83d7d879bcaf97ae1b8f9b486eaf7cb20f95c27cb40075b3b896a376a3a0f0dcf15eb1ef055f7afc3f0bb0bd28d44b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 708500ed6397a82b741deb7c5819144a
SHA1 88950880e4a82276d70ac276a81e90f816330d27
SHA256 fd544dcf6bcb127603b9d82a2f760092cdfa158f0445aa797cf1d15dba28f5fc
SHA512 8db3c257bf4b03ef712f80b0af99eaea80e2a01744852256ff2e7e37ad662543a38fc7cdd4c86d6de712bf031f5d1f39c75b6eb625792fadd665de6acdb0fc00

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LH9EEJCW.txt

MD5 d242a86411e4859a2ec61d5b1a80f6ca
SHA1 7500e3e81217607c95125b381e02dd7e398dc9c7
SHA256 f54296e10154f9f6f3bdebf06fc73620a8dc01c713fe616fa373da65dd617ba2
SHA512 be0822358f057075b8e276599365c8d9007e8cb48f33b110243b2514a4481c41c33ce9e87358b05d3246a1b3b19e37afaf74c681e5ee9000fb0fa0642e5c0d05

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B79H1JE9.txt

MD5 997f2bb6e298f1edc0b77433af779ace
SHA1 b85ad1a7621a348503b15a7a76457b05998a9a30
SHA256 8a01f5f741ac92c0d1fab0cdd4ab90ef3646376ba0a1a76f270ef0a0d49b06a7
SHA512 4440e2f9ff1d0cfa379105a8cdf75c38536d11a0d701a241307fc0790566983dcc9c7114eac0064ede3e1eb634ead691db117656e8626d22b04556e3e45ee77b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c49e0fbaf911f03611e82b482b453bc9
SHA1 5685280dfe6c1db12dd159df43e4dab4b39d8234
SHA256 f4af7e43cc760d8d5fc4321bb51fb90d174f2fbd5a09b17ddb44d2867c3339f3
SHA512 320114c4dd2e31f6eb0c15d27f0c7978ea31709f8b7ed79792faca8af52c9c1a8b73e575c42eb5e4b440b10de4aec677eea235360233834cafce98eebe20afdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f301da5e4fd10f297eaaf821faee711
SHA1 c6e58ff76bceb6d7d9fd1e8ead7507a34debc6dc
SHA256 221523bdbabae17db9961abf05d79f97d2f1d9814edd35ff0e0678ca0ed6e413
SHA512 9124cc5f9052ea53b7a0efa71405521001052ad1770cc7242963d50d2d93253653d214493da94da1d52b050fd5c3525ef3a7599ce023336162d84d2ab11be5d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20b1f7c0fe6d47a4da237561ade71da3
SHA1 c9bc2ac7c4fd31f42f8ab83198690dd81df21b4d
SHA256 447c7a3f4bf1b8a108d44080b3cc5c32f9b4764dd0277b8706eaa84423e360f9
SHA512 4d6b48e98100486713d0d3011afb17e44734069823e74a0d00f90d83ab3f25182de834a4802c133356ed53fe9f2de7429241dfe30f785e44eadf1e0779ba74de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6956fc7e5902a0dcbf4800811165cacf
SHA1 384c528c25ff3bc4a12627b43e3e77082fc789e2
SHA256 6a34c8b4a3db993f0387b59295904b0fbb1d5687d7d5c7225636644afff575a1
SHA512 0298fecf4647916eb6ad506ac3e000c760b180756962dc884e0ba8fc4f840cf3f07b45fdccabc0c295cab0bec22072b2c2f2669955d519f6ee99fcc1513444fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 016e25f07370f7e3e48c35b3511fde7e
SHA1 4f49087d09bbe068b224f9f03e85dd51a55e5989
SHA256 8f1a37f2fb1840eafeba3142df01f8b8a9c54e83409514ff7f6096140faefcb2
SHA512 0176a662b42b59ea1ccaacd26b6ea012c6e1ed5cd986497f5ec8ec445ada8b9e65a0eb7ecc1e542fa5ac6be5e11d43e35121ae2a92224d7b0cd4d7dc9388cdd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4177d19a16d306e6cdd01c06d085d7e2
SHA1 16f3773a69d611fb156c6fd2fb13ab7dad66f42e
SHA256 db04053472c60ac7456a0945f148ac45dc2dc3394f4f9106bbb1f1e9e8d5a45e
SHA512 24743142e32032219376198c41ea32ca16f77fafcf4ed1ebe4d04b65f659d4330d6b8f9896ca4cf782a2bcfd7f40caf413234007214b14a286ace39e7786f592

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b3a3e9dfc0cc5148fb73487336c3f80
SHA1 5958e87367af53d364c015ab5a7256e696d961de
SHA256 518b9ceb8a7b516ab3124a465917ffdc87c9d47b980b1a8e6c2f6bbf070334d8
SHA512 74dfdeda41632afcd9189f89f21e1bf76cd593371b8bba7c94427867586ed1c622e4662a2ca1aeb276e4ca98302a1af3544c760e2e3a5256705e0fa635005aa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 b97e247079eb63894196598f2a88ce04
SHA1 09991ef998dd0a71cbe6c54ec17e773d13cd5fee
SHA256 766999a44140b631c0a0f4c0913deb4efe918b897b9ac3b1683ab3d24f42f3aa
SHA512 65e4a793b9910cd9fd3a392fe5f2adaf957ae11ad5388808f8bf597506f721a0b6c1505c11fa59b1a891a42af809f78448db6a300127bf970c8ab341f17bfd02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7914a7bd490bae18f91dc496a412b046
SHA1 3f1fe38893b4bef2b04189c9ce594eeaf89101eb
SHA256 5880ae7bb7b1b3f3c10c447565ce53c492308619e7e5d041d98398645e862ffd
SHA512 a708cbf7b9d5947eff71120bd428bd3ce2d1dee047f9807484e3f3f8060cbc1c3684fa9804d47fd52dd11bc8ffa95bc790f7d7343c5d022f2ae873ea732b3961

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4XTL6TQL.txt

MD5 046aad58f1260ff5c561411158b0c2d5
SHA1 5774ce06e9dfa092e0ed252ebd494fe7cdc332f1
SHA256 f123097d9e5eefadc2a2600d5e650edcbd750a23fa7995a9885a43575b06796c
SHA512 56ad1fce59a8aa6fad5a2188fad4b2bdbb1d156b75642aba0ada48bf52cb976c8c908f4ae482830bdbde25d453551106b0dc0739d50d83276e96c4626093dd57

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 14:47

Reported

2024-05-29 14:49

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Itachi14.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Detroy" C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\System32\MBR.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\MBR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Windows\System32\MBR.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\MBR.exe C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\darkpcm.wav C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\System32\MBR.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\system32\NOTEPAD.EXE
PID 1620 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\system32\NOTEPAD.EXE
PID 1620 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\cmd.exe
PID 1620 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\cmd.exe
PID 1972 wrote to memory of 4692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1972 wrote to memory of 4692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1972 wrote to memory of 936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1972 wrote to memory of 936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1620 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\MBR.exe
PID 1620 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\MBR.exe
PID 1620 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Windows\System32\MBR.exe
PID 5064 wrote to memory of 3368 N/A C:\Windows\System32\MBR.exe C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe
PID 5064 wrote to memory of 3368 N/A C:\Windows\System32\MBR.exe C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe
PID 1620 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5272 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5272 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5868 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5868 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5240 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5896 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5848 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5848 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5824 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1620 wrote to memory of 5824 N/A C:\Users\Admin\AppData\Local\Temp\Itachi14.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Itachi14.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Itachi14.exe

"C:\Users\Admin\AppData\Local\Temp\Itachi14.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4292,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Videos\Note.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

C:\Windows\System32\MBR.exe

"C:\Windows\System32\MBR.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x418 0x510

C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/c/10GTech

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=4968,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=4960,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --field-trial-handle=5240,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5516,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5840,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5828,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/c/10GTech

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=6260,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=5916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCFALvbUnFTBKV4baaAd1rwQ

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=6168,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=6464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCsKYrqbRTaKoQWvv7uDJCww

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=6152,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=6560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6724,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/c/KhachNguyem

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5756,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCenBQNAvEtw37BWLgM_A8Aw

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6928,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=6864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCenBQNAvEtw37BWLgM_A8Aw

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6924,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=7080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCsKYrqbRTaKoQWvv7uDJCww

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=7220,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=7172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/c/10GTech

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=7392,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=7416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCenBQNAvEtw37BWLgM_A8Aw

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=4176,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3148 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 216.58.212.206:443 consent.youtube.com tcp
US 2.17.251.21:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 21.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
GB 216.58.212.206:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.212.206:443 consent.youtube.com udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/1620-0-0x00007FFBF8273000-0x00007FFBF8275000-memory.dmp

memory/1620-1-0x0000000000370000-0x000000000072E000-memory.dmp

memory/1620-2-0x00007FFBF8270000-0x00007FFBF8D31000-memory.dmp

C:\Users\Admin\Videos\Note.txt

MD5 f9a3021079230ae092939240aa8bf586
SHA1 9c8f705d468bbac25e6e3d5acda59fe18a2f5b10
SHA256 88ac0a64c577c26fceabf42c104cac21df3e861743f144d9dd881877082617ea
SHA512 f1291e2e5910e7e20f77bbd9285ea6751f3b99e7ef2a6827f9233fde31e4828026e09ff374c8455057efec20e6ec06ddff9abe11ae62b07fa0a80c5871afa9d0

C:\Windows\System32\MBR.exe

MD5 298749b226539c7fbd902d48e569eb0f
SHA1 a20706bdd4d0fbaf1a109fd5519c154270a3a6fc
SHA256 dcf2180004efebe41e00b057234df218c1c05f0add1509125a9724f125a30f97
SHA512 185ef5cbf21179dab8d0c2fa3962695a7b2305acb29a1b77fe291965ab541c12ddd354eca05dc75b1c59851fd3742cc0183209908f320afae77e8c67765ade40

C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe

MD5 15ab83fb10ce58353ab3f206990e698a
SHA1 54be6c19063a68d385eb3d7ba64a812b95ccb438
SHA256 a369873db29763760ff3031ccc46505fd8ea715a4ade7e05ef503b32627d949c
SHA512 e2ca16f2ac5ad4e989b01ea356d422efc69a0b6f7497ee8e74ed2b4af224f549fa9d4a4ce5e8f5888ea5c63572b72e5f51dfe78ef143b2c7452e3612c13d1aca

memory/3368-80-0x0000000000710000-0x0000000000728000-memory.dmp

memory/3368-81-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

C:\Program Files\darkpcm.wav

MD5 42fd98add941a9eaad60d02567ad6ce6
SHA1 22889f394658cf25af344ff76ba6d93e939f7e2c
SHA256 5127d449b33156073e314cb774949d433341ea84238f14de598f82359e52e6fb
SHA512 562b88a37e5c070d213c942a8cc074437c5adeaa6a7e9725e661ff0f70e19a8a1e0397f6f1f6796e813c45dd8f0d499078a88e3450939993c22f7fe705782354

memory/5064-111-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1620-128-0x00007FFBF8273000-0x00007FFBF8275000-memory.dmp

memory/1620-137-0x00007FFBF8270000-0x00007FFBF8D31000-memory.dmp