avaddon | 90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e

General

Target

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
Size

570KB
MD5

4cb6d61ad2425bede38804cc18113e01
SHA1

faa8c450493e4ac9fdd95bed030dc2051da6c6b6
SHA256

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e
SHA512

318461bddb899f0883a54c2a3cd9814aa5a789d0f2aab0b64f340ea36256536350bfbc971f36c76dc929efbdbd6227dbb815a7a447322f806fb721f3e6ae8f24

Score

10^/10

avaddon evasion ransomware suricata trojan

Malware Config

Extracted

Path

C:\odt\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * eq9bvQoFDcz6riHLPOOiL

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 0ykyGdbZ3EhBDfPNavJpWzu9

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * NaMp4pONtqPk553PFRkxDA3ArlKb

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Favorites\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * n5HlPd3bl

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * KFJPX

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Searches\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * X02cCb2vssf

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Libraries\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 6sMBDCuLujnvteYZLDPrP

URLs

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\9j8Pznq_readme.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bCeBDDBaAB You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- Mzg1LU52WjFzSlg5TXdBS056cDkrMkk3bXdPM2Z4Snp5akRlTWRBK0twbGRwbEEvVCtBeVQ4dTdjMDBNZThyQTZwM09adzY1U245Z3ZWZVdvNWFUa1FIY0tlU3A4cVA3YXJ0dDVPRW1wc1Avc2MzYVJ6L0dZNUFqdktqOUtqRlZkWXgwb3owbzBkem9GZjhtZmk1bXAxNXpaTkVOL3pzYVhaS0lNVFgzL0hmSzlqbk1XKzhSNC9iRmJJQ0tHdnBobXRlcFE0NmNhWHhLQkI4Qjlqc2xkVzRwd0NweFE1dE9xaHkxUlN2M1dMbDY4ZnJHM2kyV0ozdlRIZVlvZi9yM25ncjlHQzFLNTZlZDZWSmdyVHFHMkRXcUx3R1kwbEYvblpkYm5LTFN5d0pIdVlmTWdlTUNnS3Ztb0o3blVVZWNaY2lxU3p1OGw2bWlBRGd1aVhCdCtxSnZRRXZyd0FZc3orUCtvaTlXSHlIMlF1bmlTY0ZXR2RoZ0VzbVBQc0F2MFFDV0k4WWkwYzQ3aVJqL2gvVXF0a005Wi9DQWRaZ2dEN2NNZTMzZUpDeFVCUC9lR0dqUy95bTkyM2drMlhBMEZuV3gwUkVyZXRoM09XaXBDS0I4THVaQ3ZSZU9lVWp2S2k1U0k2WE1yVFVzVTZFZm9kQkEva3NLN3Z5MnZmQnFwNkFIcHdNZWZYdlVNbzc0VWNNUHo0Q3BwdXVSRXk4dHVMNDR5dUxxTGRsL3lJOHhZSkVVQWtxSE5OYkdSSjFOc29KNCtmVnozR3dZaHF5V0htM0YrMGdsMHovUDhQdGozakE3azE3SGxNU1B3ekQrUXppZHBjTkcyQzNJQzJBZG1vckFaZlIxVW53andQMkhwRjY4R1U0L2ZTcXllKy9WZlVDRWk0MXpDREwrRzF2K3l4Vk1aUmZKS1FDSG5EQmk5NDBpdUVZYVVIYlMzSEgvRkROUVpYc1lvVUY1L0dlaVlUaGNhLzEyTXpYblJEV1lSeWlwWk9TT1JNRko2SjNyQytITzc5bDVhNng2T29JQnIveFA3MTM5TzRYRmxFVHRpRTNzTVFPTFhJOHlmWVdUMlVrQjhXRWNqS3pzYUNDNlNtWWE4ZjFSU0ZyRmpXSTRndUZYa25kbE85WnBBRU5FUEpiNjVDenphMmpWUndXZHBFRjFYRndvZ3l1blI4ZHFnMlZmaFRWK2ZkeCtibWlsUFAwTnpXZWFFWjI3Uk9PWEpycW5IMFZtU3pNb0pOZitkRzhxSm53bjR6WnQveFRaUFd2MDFBQXRjT0JZdUR2Y1BkcmFYcklDa3VqTFVBaDJTd0FiSkVxRXJDRkdBRUlvTSt1RjNZOFBtWmVMU1k5Nkl2NEh3OFU5dnBaUUFYM3dabVFnQ0txNnhPL2NyVEFGbFE5cW1nODZqOStvM1JhTno1ODhmS3NPZUdVMUNZVFlveWhrejBKcUdJaFd3bURZMEJzRXhGL2hTWVFFdWZMSS9FcFU4djdIRU5EK2pUdGsvOC9ncEpOcUNCdXZEREU1eUdjMXh5V1Vpc3U3aXBOblFoWlJ2alVWQm9sMW1DdHN4ZjFsdTE1b2w4b2tDVmVVYSs0UjdzbjFVaGFiaUMvRG83T3phUERDb2dnVmpabllXT2Y1L1dZL3IwcGRMSEoreW01MUJSYkhOQzBwQ3l2Q1llRmkwKzRuMmJsYW5NRkVWeDVLMURjVFZhUnhyUlJIdFAzWHhway9uT1lQVWgxNHJwejJiNkFTYkdFRVhtMVpwUFZPL2VVeEl4cDU4WVEyK20xT050bVlRTGxrbFY1dnZtUEJ1c0dBc3lXMk9icml5aUFZbDYwUzFxTmRmTlNYTjY0NU5JVXNBZUFqajNTMEhnays2TWlZRGhRK1ZFbEd0UVdhS0xCUkRXV0NLNWZtSmtwUWgvSUw0SVF0MEJUMHVOcTd1cStjN2thLzNjaEVqV3N4NEhGc20rdWZXdklOdGhPQ0k0YlVwVVFidjc1U1BNNDcwS05SRVZ4QXdTVlVkNlFzNFUwS2hUTlh1WTJNSEhqUVlFWU9kU1A3WnBZVkYzdGs2eHFoZ0FHWlNieFFibGM3MnNNcnphZFY1bUx0UkpWbi9CU0hhY09IL2NHWFZhVzQ= -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * OzsUM

URLs

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2156-132-0x0000000001010000-0x000000000112C000-memory.dmp	family_avaddon
behavioral2/memory/2156-133-0x0000000000400000-0x0000000000CBD000-memory.dmp	family_avaddon

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
suricata

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompareConvert.tif => C:\Users\Admin\Pictures\CompareConvert.tif.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File renamed	C:\Users\Admin\Pictures\ConfirmConvert.crw => C:\Users\Admin\Pictures\ConfirmConvert.crw.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File renamed	C:\Users\Admin\Pictures\GroupReceive.raw => C:\Users\Admin\Pictures\GroupReceive.raw.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File renamed	C:\Users\Admin\Pictures\MeasureDismount.crw => C:\Users\Admin\Pictures\MeasureDismount.crw.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File renamed	C:\Users\Admin\Pictures\PingResolve.tiff => C:\Users\Admin\Pictures\PingResolve.tiff.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File renamed	C:\Users\Admin\Pictures\SearchLock.raw => C:\Users\Admin\Pictures\SearchLock.raw.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File renamed	C:\Users\Admin\Pictures\SkipConnect.png => C:\Users\Admin\Pictures\SkipConnect.png.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File renamed	C:\Users\Admin\Pictures\BackupSend.tif => C:\Users\Admin\Pictures\BackupSend.tif.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened for modification	C:\Users\Admin\Pictures\PingResolve.tiff	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File renamed	C:\Users\Admin\Pictures\RestartConvertTo.raw => C:\Users\Admin\Pictures\RestartConvertTo.raw.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened for modification	C:\Users\Admin\Pictures\StepSplit.tiff	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File renamed	C:\Users\Admin\Pictures\StepSplit.tiff => C:\Users\Admin\Pictures\StepSplit.tiff.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File renamed	C:\Users\Admin\Pictures\InitializeCompare.tif => C:\Users\Admin\Pictures\InitializeCompare.tif.bCeBDDBaAB	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

description	ioc	process
File opened (read-only)	\??\T:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\X:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\B:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\H:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\M:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\N:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\Q:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\R:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\F:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\O:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\P:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\S:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\V:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\Z:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\A:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\G:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\K:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\L:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\U:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\Y:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\E:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\I:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\J:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
File opened (read-only)	\??\W:	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 api.myip.com
40 api.myip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
39	api.myip.com
40	api.myip.com

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5092	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
3560	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
4712	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
4772	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
5052	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
4488	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
560	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
4520	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
1764	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
4484	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
216	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
1052	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
3236	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
3240	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
4260	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
648	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
1976	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
3924	2156	WerFault.exe	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

pid	process
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5080	wmic.exe
Token: SeSecurityPrivilege	5080	wmic.exe
Token: SeTakeOwnershipPrivilege	5080	wmic.exe
Token: SeLoadDriverPrivilege	5080	wmic.exe
Token: SeSystemProfilePrivilege	5080	wmic.exe
Token: SeSystemtimePrivilege	5080	wmic.exe
Token: SeProfSingleProcessPrivilege	5080	wmic.exe
Token: SeIncBasePriorityPrivilege	5080	wmic.exe
Token: SeCreatePagefilePrivilege	5080	wmic.exe
Token: SeBackupPrivilege	5080	wmic.exe
Token: SeRestorePrivilege	5080	wmic.exe
Token: SeShutdownPrivilege	5080	wmic.exe
Token: SeDebugPrivilege	5080	wmic.exe
Token: SeSystemEnvironmentPrivilege	5080	wmic.exe
Token: SeRemoteShutdownPrivilege	5080	wmic.exe
Token: SeUndockPrivilege	5080	wmic.exe
Token: SeManageVolumePrivilege	5080	wmic.exe
Token: 33	5080	wmic.exe
Token: 34	5080	wmic.exe
Token: 35	5080	wmic.exe
Token: 36	5080	wmic.exe
Token: SeIncreaseQuotaPrivilege	5056	wmic.exe
Token: SeSecurityPrivilege	5056	wmic.exe
Token: SeTakeOwnershipPrivilege	5056	wmic.exe
Token: SeLoadDriverPrivilege	5056	wmic.exe
Token: SeSystemProfilePrivilege	5056	wmic.exe
Token: SeSystemtimePrivilege	5056	wmic.exe
Token: SeProfSingleProcessPrivilege	5056	wmic.exe
Token: SeIncBasePriorityPrivilege	5056	wmic.exe
Token: SeCreatePagefilePrivilege	5056	wmic.exe
Token: SeBackupPrivilege	5056	wmic.exe
Token: SeRestorePrivilege	5056	wmic.exe
Token: SeShutdownPrivilege	5056	wmic.exe
Token: SeDebugPrivilege	5056	wmic.exe
Token: SeSystemEnvironmentPrivilege	5056	wmic.exe
Token: SeRemoteShutdownPrivilege	5056	wmic.exe
Token: SeUndockPrivilege	5056	wmic.exe
Token: SeManageVolumePrivilege	5056	wmic.exe
Token: 33	5056	wmic.exe
Token: 34	5056	wmic.exe
Token: 35	5056	wmic.exe
Token: 36	5056	wmic.exe
Token: SeIncreaseQuotaPrivilege	2176	wmic.exe
Token: SeSecurityPrivilege	2176	wmic.exe
Token: SeTakeOwnershipPrivilege	2176	wmic.exe
Token: SeLoadDriverPrivilege	2176	wmic.exe
Token: SeSystemProfilePrivilege	2176	wmic.exe
Token: SeSystemtimePrivilege	2176	wmic.exe
Token: SeProfSingleProcessPrivilege	2176	wmic.exe
Token: SeIncBasePriorityPrivilege	2176	wmic.exe
Token: SeCreatePagefilePrivilege	2176	wmic.exe
Token: SeBackupPrivilege	2176	wmic.exe
Token: SeRestorePrivilege	2176	wmic.exe
Token: SeShutdownPrivilege	2176	wmic.exe
Token: SeDebugPrivilege	2176	wmic.exe
Token: SeSystemEnvironmentPrivilege	2176	wmic.exe
Token: SeRemoteShutdownPrivilege	2176	wmic.exe
Token: SeUndockPrivilege	2176	wmic.exe
Token: SeManageVolumePrivilege	2176	wmic.exe
Token: 33	2176	wmic.exe
Token: 34	2176	wmic.exe
Token: 35	2176	wmic.exe
Token: 36	2176	wmic.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

description	pid	process	target process
PID 2156 wrote to memory of 5080	2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe	wmic.exe
PID 2156 wrote to memory of 5080	2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe	wmic.exe
PID 2156 wrote to memory of 5080	2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe	wmic.exe
PID 2156 wrote to memory of 5056	2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe	wmic.exe
PID 2156 wrote to memory of 5056	2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe	wmic.exe
PID 2156 wrote to memory of 5056	2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe	wmic.exe
PID 2156 wrote to memory of 2176	2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe	wmic.exe
PID 2156 wrote to memory of 2176	2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe	wmic.exe
PID 2156 wrote to memory of 2176	2156	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe	wmic.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe

C:\Users\Admin\AppData\Local\Temp\90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe
"C:\Users\Admin\AppData\Local\Temp\90e38cf92c11592a1ed3e8bdb8dbf8c50b94e3e1a007f0e402bc09cc0c86fa2e.exe"
1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 856
2⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 900
2⤵
- Program crash
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 900
2⤵
- Program crash
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 920
2⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1004
2⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1100
2⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1532
2⤵
- Program crash
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1628
2⤵
- Program crash
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1808
2⤵
- Program crash
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1788
2⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1832
2⤵
- Program crash
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1772
2⤵
- Program crash
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1540
2⤵
- Program crash
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1076
2⤵
- Program crash
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1924
2⤵
- Program crash
PID:4260

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1760
2⤵
- Program crash
PID:648

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1056
2⤵
- Program crash
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1836
2⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2156 -ip 2156
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2156 -ip 2156
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2156 -ip 2156
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2156 -ip 2156
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2156 -ip 2156
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2156 -ip 2156
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2156 -ip 2156
1⤵
PID:600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2156 -ip 2156
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2156 -ip 2156
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2156 -ip 2156
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2156 -ip 2156
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2156 -ip 2156
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2156 -ip 2156
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2156 -ip 2156
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2156 -ip 2156
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2156 -ip 2156
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2156 -ip 2156
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2156 -ip 2156
1⤵
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2156-131-0x0000000000F23000-0x0000000000F9D000-memory.dmp

Filesize
488KB

Download
memory/2156-132-0x0000000001010000-0x000000000112C000-memory.dmp

Filesize
1.1MB

Download
memory/2156-133-0x0000000000400000-0x0000000000CBD000-memory.dmp

Filesize
8.7MB

Download
memory/2176-136-0x0000000000000000-mapping.dmp

Download
memory/5056-135-0x0000000000000000-mapping.dmp

Download
memory/5080-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads