Malware Analysis Report

2024-10-16 03:28

Sample ID 230418-f3g4gshg62
Target 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe
SHA256 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81
Tags
avoslocker evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81

Threat Level: Known bad

The file 794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe was found to be: Known bad.

Malicious Activity Summary

avoslocker evasion ransomware

Avoslocker Ransomware

Modifies boot configuration data using bcdedit

Deletes shadow copies

Modifies extensions of user files

Enumerates connected drives

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Program Files directory

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-18 05:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-18 05:23

Reported

2023-04-18 05:26

Platform

win7-20230220-en

Max time kernel

60s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\ResolveEnable.tiff C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReadConvertFrom.tiff C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\DebugLock.tif => C:\Users\Admin\Pictures\DebugLock.tif.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveEnable.tiff => C:\Users\Admin\Pictures\RemoveEnable.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\RequestFind.png => C:\Users\Admin\Pictures\RequestFind.png.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\ResetTrace.crw => C:\Users\Admin\Pictures\ResetTrace.crw.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\ReadConvertFrom.tiff => C:\Users\Admin\Pictures\ReadConvertFrom.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertToClose.png => C:\Users\Admin\Pictures\ConvertToClose.png.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeWrite.crw => C:\Users\Admin\Pictures\InvokeWrite.crw.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\WaitInitialize.png => C:\Users\Admin\Pictures\WaitInitialize.png.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Users\Admin\Pictures\RemoveEnable.tiff C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\InstallRegister.tif => C:\Users\Admin\Pictures\InstallRegister.tif.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeCompress.crw => C:\Users\Admin\Pictures\RevokeCompress.crw.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveEnable.tiff => C:\Users\Admin\Pictures\ResolveEnable.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\LimitRename.tif => C:\Users\Admin\Pictures\LimitRename.tif.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\GrantWait.crw => C:\Users\Admin\Pictures\GrantWait.crw.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\SearchConvert.crw => C:\Users\Admin\Pictures\SearchConvert.crw.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1040352102.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185774.WMF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Niue C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15058_.GIF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\networkinspection.dll.mui C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309904.WMF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen.css C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105282.WMF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03014_.GIF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18244_.WMF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15173_.GIF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Internet Explorer\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199283.WMF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05870_.WMF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00352_.WMF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado26.tlb C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageStyle.css C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1936 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1936 wrote to memory of 1056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1608 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1608 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1608 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1976 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1976 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1976 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1800 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1944 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1944 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1944 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1972 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2540 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 3524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 2540 wrote to memory of 3336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 2540 wrote to memory of 3336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 2540 wrote to memory of 3336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

"C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe"

C:\Windows\system32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\system32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1040352102.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

\Device\HarddiskVolume1\GET_YOUR_FILES_BACK.txt

MD5 9bcb42cd18f95356b2d1a1a4de0b5aad
SHA1 b03da5cab852e8fafc12a52e424ec4b10431270d
SHA256 6e66527651da97c609c697e763e165eaf0fa1da104c26d311ec48fec9950ae24
SHA512 85961b90024f25a20943f9ce3b3c0959ced373d7b548cfc533bb51164aa615125528352438ab43e4b285ab570268bb4ed46f861db89d29d830230b9f63b0f496

memory/2564-1798-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2564-1829-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2564-1977-0x000000001B190000-0x000000001B472000-memory.dmp

memory/2564-1990-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2564-2461-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2564-2464-0x0000000002400000-0x0000000002480000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 696f3c89816fa4e7f6b0d9b32f3fb40d
SHA1 ac72491c5b793ca8cfd6c6b522303371613181cd
SHA256 272601253ff2746a6c6b7e47dac459ab133cab33acff8a9db063c3279bf28e4b
SHA512 4a662690fc7ebad5a3a321d913726edb5014d533ab36ae0bb295b9e3980eb985b82394afb40d486c87d373dc0da5999d914bce67a8fe473e4fce80e3379c6a74

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K7CB0I1V55192Q6T34NP.temp

MD5 696f3c89816fa4e7f6b0d9b32f3fb40d
SHA1 ac72491c5b793ca8cfd6c6b522303371613181cd
SHA256 272601253ff2746a6c6b7e47dac459ab133cab33acff8a9db063c3279bf28e4b
SHA512 4a662690fc7ebad5a3a321d913726edb5014d533ab36ae0bb295b9e3980eb985b82394afb40d486c87d373dc0da5999d914bce67a8fe473e4fce80e3379c6a74

memory/2540-24605-0x000000001B270000-0x000000001B552000-memory.dmp

memory/2540-24604-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2540-24606-0x0000000002370000-0x0000000002378000-memory.dmp

C:\GET_YOUR_FILES_BACK.txt

MD5 9bcb42cd18f95356b2d1a1a4de0b5aad
SHA1 b03da5cab852e8fafc12a52e424ec4b10431270d
SHA256 6e66527651da97c609c697e763e165eaf0fa1da104c26d311ec48fec9950ae24
SHA512 85961b90024f25a20943f9ce3b3c0959ced373d7b548cfc533bb51164aa615125528352438ab43e4b285ab570268bb4ed46f861db89d29d830230b9f63b0f496

memory/2540-24608-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2540-24609-0x00000000025C0000-0x0000000002640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1040352102.png

MD5 fb93594c806f5b3b4cc627d1cbcc9327
SHA1 d4c29ca6106bad5409748e7f949ccff1b7d150cc
SHA256 fbc6e6163add1cc990cc92afea4883465ab09b9eef49390eab674aab6c296fbb
SHA512 73c0a84dad9854315d58fdc6a088c5fbf978dab3a2e193833afc72ddc83b1bf3d4a339310b51b96eb23934eb27e3379f3989f9502fcc882d2a298cf69282fc55

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-18 05:23

Reported

2023-04-18 05:26

Platform

win10v2004-20230220-en

Max time kernel

112s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UnpublishUnregister.crw => C:\Users\Admin\Pictures\UnpublishUnregister.crw.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Users\Admin\Pictures\CloseUnregister.tiff C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\ResizeDeny.tif => C:\Users\Admin\Pictures\ResizeDeny.tif.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\CloseUnregister.tiff => C:\Users\Admin\Pictures\CloseUnregister.tiff.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\ConfirmInvoke.tif => C:\Users\Admin\Pictures\ConfirmInvoke.tif.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File renamed C:\Users\Admin\Pictures\SetUse.raw => C:\Users\Admin\Pictures\SetUse.raw.avos2 C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2125497753.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Snooze.scale-80.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-125.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-150.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\MarkAsReadToastQuickAction.scale-80.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gl\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\Microsoft Office\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxUnselected.svg C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-100.png C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VC\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\SYSTEM32\cmd.exe
PID 2132 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\SYSTEM32\cmd.exe
PID 2132 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\SYSTEM32\cmd.exe
PID 2132 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\SYSTEM32\cmd.exe
PID 2132 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\SYSTEM32\cmd.exe
PID 2132 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\SYSTEM32\cmd.exe
PID 2132 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\SYSTEM32\cmd.exe
PID 2132 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\SYSTEM32\cmd.exe
PID 2132 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\SYSTEM32\cmd.exe
PID 2132 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\SYSTEM32\cmd.exe
PID 2708 wrote to memory of 4508 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2708 wrote to memory of 4508 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2716 wrote to memory of 4180 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2716 wrote to memory of 4180 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2356 wrote to memory of 2232 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2232 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 2088 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4020 wrote to memory of 2088 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1964 wrote to memory of 4412 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1964 wrote to memory of 4412 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2132 wrote to memory of 19172 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 19172 N/A C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 19172 wrote to memory of 13076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 19172 wrote to memory of 13076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 19172 wrote to memory of 19328 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 19172 wrote to memory of 19328 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe

"C:\Users\Admin\AppData\Local\Temp\794f3d25c42d383fad485f9af1d6d7c0508bcfe8ed80a1afea0e0b51bf92bc81.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2125497753.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 23.73.0.161:443 assets.msn.com tcp
US 8.8.8.8:53 161.0.73.23.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 209.197.3.8:80 tcp

Files

C:\GET_YOUR_FILES_BACK.txt

MD5 9bcb42cd18f95356b2d1a1a4de0b5aad
SHA1 b03da5cab852e8fafc12a52e424ec4b10431270d
SHA256 6e66527651da97c609c697e763e165eaf0fa1da104c26d311ec48fec9950ae24
SHA512 85961b90024f25a20943f9ce3b3c0959ced373d7b548cfc533bb51164aa615125528352438ab43e4b285ab570268bb4ed46f861db89d29d830230b9f63b0f496

memory/2232-606-0x000001E4FCAD0000-0x000001E4FCAE0000-memory.dmp

memory/2232-607-0x000001E4FCAD0000-0x000001E4FCAE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezxwde0o.emy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2232-644-0x000001E4FCBE0000-0x000001E4FCC02000-memory.dmp

memory/2232-731-0x000001E4FCAD0000-0x000001E4FCAE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/19172-24897-0x0000025F19640000-0x0000025F19650000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7274a07d1b80de6f66290b47588cee3b
SHA1 d926b384806c755fe6b9d03f68852765aabb5703
SHA256 5eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8
SHA512 b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3

C:\GET_YOUR_FILES_BACK.txt

MD5 9bcb42cd18f95356b2d1a1a4de0b5aad
SHA1 b03da5cab852e8fafc12a52e424ec4b10431270d
SHA256 6e66527651da97c609c697e763e165eaf0fa1da104c26d311ec48fec9950ae24
SHA512 85961b90024f25a20943f9ce3b3c0959ced373d7b548cfc533bb51164aa615125528352438ab43e4b285ab570268bb4ed46f861db89d29d830230b9f63b0f496

memory/19172-24901-0x0000025F19640000-0x0000025F19650000-memory.dmp

C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

MD5 9bcb42cd18f95356b2d1a1a4de0b5aad
SHA1 b03da5cab852e8fafc12a52e424ec4b10431270d
SHA256 6e66527651da97c609c697e763e165eaf0fa1da104c26d311ec48fec9950ae24
SHA512 85961b90024f25a20943f9ce3b3c0959ced373d7b548cfc533bb51164aa615125528352438ab43e4b285ab570268bb4ed46f861db89d29d830230b9f63b0f496