Malware Analysis Report

2024-09-22 16:15

Sample ID 240402-l588mseb6w
Target 1d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118.zip
SHA256 c231faf6512aa89779a509b2ec86e03ae1ac58ba16906c9f56180bb211ef6269
Tags
avaddon evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c231faf6512aa89779a509b2ec86e03ae1ac58ba16906c9f56180bb211ef6269

Threat Level: Known bad

The file 1d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118.zip was found to be: Known bad.

Malicious Activity Summary

avaddon evasion ransomware trojan

Process spawned unexpected child process

Avaddon family

Avaddon

UAC bypass

Avaddon payload

Deletes shadow copies

Renames multiple (191) files with added filename extension

Renames multiple (174) files with added filename extension

Executes dropped EXE

Checks whether UAC is enabled

Drops desktop.ini file(s)

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:08

Signatures

Avaddon family

avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:08

Reported

2024-04-02 10:14

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Deletes shadow copies

ransomware

Renames multiple (191) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1056 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1056 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1624 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
PID 1624 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
PID 1624 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
PID 1624 wrote to memory of 840 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ab.exe

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\taskeng.exe

taskeng.exe {01EA538C-CF3C-4FE0-8AC5-A33344EAF6D4} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

Network

N/A

Files

C:\Users\Admin\Desktop\jA7qS_readme_.txt

MD5 7e8ba9bef068919afb9945cec8d8facd
SHA1 d513718829342a50c6aaaeed67bcb9cfc3fb5842
SHA256 801cb9c8ce3ef09b3b0d3509073b55a794499e89b1e9942dac48bef35929a0cc
SHA512 915ce203cb551838949215df4227cf5a9c0ccb1ad34c27317a269b27cdabb0b72643751db6d8e352f1fc37789d575d60c5072237ab159d856b13f5820469edf8

C:\Users\Admin\Downloads\jA7qS_readme_.txt

MD5 7b8ea4c2f454b42aba253eee2124a796
SHA1 4cca29ff0a9e0d8e2f87166c25a68bc518490f02
SHA256 4f56806b83b59f9c705777337b15cdbcb6bf4fa442d570254397762eaa73351f
SHA512 75a3562001c168fe3184682be44e4df552ed070988dd8227ad3650b0f7674c288108815232b6ba1db88fecf0adbfa02834526731d33910213e34922dd63dcdfb

C:\Users\Admin\Pictures\jA7qS_readme_.txt

MD5 50a246802161203af6b9db28b98064b2
SHA1 6920e10d10d334cda7b76b55e1e2e357452e1d5b
SHA256 15e71dac6200a52a02ca2d21a7308b07bc38875142eb0e49a685369da68e4f12
SHA512 f0102dd0a17f4b7746f6b13eecbc81f2b687157052db23b0e3a4449a22755e6c850e38eb4881aaac81ea23c127b859b7ce546e82989e91d8310605841b19e8f2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

MD5 0b486fe0503524cfe4726a4022fa6a68
SHA1 297dea71d489768ce45d23b0f8a45424b469ab00
SHA256 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512 f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:08

Reported

2024-04-02 10:14

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Deletes shadow copies

ransomware

Renames multiple (174) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ab.exe

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp

Files

C:\Users\Admin\Documents\Bypu6_readme_.txt

MD5 17616647cae98bac1184664f34721e08
SHA1 416e4d45123c54bd84c51791113f8fcaee8bf0ee
SHA256 e7c01fce73e5d92c1ddab847507cba6c26fc315e3c2d33a5f183def3e9fb1bc7
SHA512 a07d0dbcd4499c599399073b54b90c4aa0f37743ab6e98df505a0aa2092d1b24ccd18ba70bd6aba7f3e01a32287b5806041ac38faf1d15e159e4b1a86e407b90

C:\Users\Admin\Downloads\Bypu6_readme_.txt

MD5 9b78bb86ef9801447aaa11ec97a55ddd
SHA1 51989b9dc94c9ac0168cc7ffc4cff58a11253eb4
SHA256 fa647dfdf8ddd14e26339bb6718fb6b6bb4aa47b28160ba71ec947019b743286
SHA512 73263bb4051671721752a9fdfdb2c54f2f631a9ea7a0f14b3902ba9fbc3564b6cdae5dedff6cc1d232cf80563550dfd6cced99b8a850fb520277d21871f55869

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

MD5 0b486fe0503524cfe4726a4022fa6a68
SHA1 297dea71d489768ce45d23b0f8a45424b469ab00
SHA256 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512 f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619