Malware Analysis Report

2024-11-13 17:22

Sample ID 241106-rmfq9sscmq
Target 06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784
SHA256 06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784
Tags
targetcompany evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784

Threat Level: Known bad

The file 06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784 was found to be: Known bad.

Malicious Activity Summary

targetcompany evasion ransomware

TargetCompany,Mallox

Targetcompany family

Renames multiple (346) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (241) files with added filename extension

Checks computer location settings

Looks up external IP address via web service

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 14:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 14:18

Reported

2024-11-06 14:20

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe"

Signatures

TargetCompany,Mallox

ransomware targetcompany

Targetcompany family

targetcompany

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (346) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_contrast-black.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.NetworkTroubleshooter.winmd C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-60_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page2.jpg C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram.jpg C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Heart.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_32x32x32.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Wide310x150Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\GlassPixelShader.cso C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-250.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\be\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\167.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\refresh_16x16x32.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\de\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_BadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker22.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\moe_status_icons.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\171.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\WeatherColorIcons.ttf C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinResearcher.xml C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe

"C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} recoveryenabled no

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:80 api.ipify.org tcp
RU 91.215.85.142:80 91.215.85.142 tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 142.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 10.127.0.1:135 tcp
FI 37.27.61.182:445 tcp
FI 37.27.61.182:139 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 10.127.0.1:135 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 37.27.61.182:445 tcp
FI 37.27.61.182:139 tcp
FI 37.27.61.182:135 tcp

Files

F:\HOW TO BACK FILES.txt

MD5 0b022cdf580397e7c3563839233e91fd
SHA1 2358535f70344dfd6387e045014b94d9bd0a330a
SHA256 60ca985d6f68964b6ca4fa1c7be4637462cb236451d38770bc40db82382891bd
SHA512 48f2d9f703f2f93f6e8095b871e3a4a48617832cab37ac0284ba5787e530e6af4a7e5474de22b71f57bd103d91cfe4907deb1b68fa902742a698052d4ac6d540

C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-493223053-2004649691-1575712786-1000-MergedResources-0.pri

MD5 713aef0b9c1997a42a9c043a54b44821
SHA1 67e6c2b30185a79292f8a6999bf4f9114266374f
SHA256 d4655b87c333151ce6f08f51cc9a606dc1953bd9e851eeb4b26fc547c55cf82c
SHA512 14844e8658bde005b1df3595c74491cd9c4c5af3da6721475daf17b7932b9a82d5b203f54eb77faafd5940dc0822d942c02f9ad4d1aa0075958281b26f940b0e

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 14:18

Reported

2024-11-06 14:20

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe"

Signatures

TargetCompany,Mallox

ransomware targetcompany

Targetcompany family

targetcompany

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (241) files with added filename extension

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\setup_wm.exe.mui C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\en-US\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\en-US\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Media Renderer\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\Music.jtp C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Microsoft Games\Chess\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\StopMerge.i64 C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.jpg C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Skins\Revert.wmz C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Microsoft Games\Chess\fr-FR\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\WMPDMCCore.dll.mui C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\WMPSideShowGadget.exe.mui C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File created C:\Program Files (x86)\Windows Media Player\es-ES\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\Genko_2.jtp C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\WMPDMC.exe.mui C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe C:\Windows\System32\cmd.exe
PID 2388 wrote to memory of 2276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2388 wrote to memory of 2276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2388 wrote to memory of 2276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 280 wrote to memory of 2108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 280 wrote to memory of 2108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 280 wrote to memory of 2108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1" C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe

"C:\Users\Admin\AppData\Local\Temp\06699c98ed2ef759b2434ac5777a2886b966c0ffa1c96c046f5cde77fe833784.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} recoveryenabled no

Network

Country Destination Domain Proto
N/A 10.127.0.1:135 tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:80 api.ipify.org tcp
RU 91.215.85.142:80 91.215.85.142 tcp
N/A 10.127.0.1:135 tcp
DE 49.12.169.208:135 tcp
DE 49.12.169.208:135 tcp
RU 91.215.85.142:80 91.215.85.142 tcp

Files

C:\HOW TO BACK FILES.txt

MD5 bf8952d75e7d49b6a6ecbb227e65e5cf
SHA1 a3a2609024b60cfded7b5d205dbf921f59a0d693
SHA256 20059c8bff439d0c4920fc19714ff7b6a2cdb0faacab20b1e63467f9f3ce7b51
SHA512 0953da4358c790c2f7373f6d4af129bf9aba659183f8905826cc30871821bfa5c8f3201ba0d0661c82065a604fd687c2167cfd17285069a8dbfefb213fcb0cc7