Analysis

  • max time kernel
    152s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

  • Size

    775KB

  • MD5

    7fc5a1aafb84705745dba65e2a178217

  • SHA1

    0825e3b2115c9053563a307402e32d28056223a7

  • SHA256

    2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a

  • SHA512

    b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2

  • SSDEEP

    24576:TCsB9+OXLpMePfI8TgmBTCDqEbOpPtpFhPxfq:56OXLpMePfzVTCD7gPtLh5fq

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HvQEW_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .abaBBeAABc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjU5NC1NVnhRNzBHcm85K3F4Y0dvdTJYQnppQTZsSGJZbjBlSmJTcE5jSkZteUlGcjR5YlIwanZQMmdGRHFtMXVBYlJJeEZyNitodnAxSzNLa0VqekJQUVljVjBBNEhYdXk0U1M1VFR5ZGl0QjRORGNYeFFoZ2M5azhhTEtWWFdCamVtdDQxMFhCdGxTOUdPZ3ZiSWRUMUVQajg2OWVoNk9MVnA5eTRGVlQwYkVpb1JkSkh5TmxtR2Y1N1dOZ1RnU1MvWVdyRTgxVzgvZ2YyOFlOS3gzdm9DclNqclMvdUhMNWxsWXFrc2JqbEFHU0dHUVRsOS8vdHlaY04zMndSVEhPWjVQMHRYNGxVQnJCcm5lbmFpS2lSeWFsS3lCWExHNEJFcTNKdFpiK1BLSWw2M1JEKzlzeGtIdk5qMEhWbHZWR3hOMi9NRDZzcUw0M3EzdmhuMDVtdWRvMndxaDQ2ZWFMVGg4YUllN0VzVi80UG5GMzJRRzFhazk4NEhsUC9FYnBsRjY4V2VRTWlSdU0zN2ZTR0ZOZ3FSQVdKVGdENVNCYlRuLzBJTnh1OUhFUCtUK2J2d3d4aGVJNHE4dHNodE0vaTZlK3J6emIzOFdiS1g4N3JxN2ZTU1hWaHdxVWxNRkZiMmlVTW90dXhuNXFJTm9pT2oweFZNOCtZcFlCdUpWRWVHWHVQNjRib2loZjNvNm02QjJoWHl6bEJwYml1MmxkUG91NG5pcTVhcTZSK1FpeXBIY1cyUmFTWG94djlZTW1ucmRGamF1N292ZGhCS3JhUTVWWE8vU2g2NmI4czJYMFA2Z2I5N2g0TTU1dUtjd3RPVDJackZlL1l3YjJZUnFZM2lpdm9tb1ZyTWVzMGtEM2tIaHBMSUgrVCtsTndLbmNjZUNRZ3RPRmlzclpzSFROdDlRWHZwZXh6S3FBNndwU0d6bXQzUTYwc3kvdmFOMUNkbEh2dHBnZ054UDYvQnJnSXE2UnVPV0YycDlNNFhHQXFSRWduOHhNckFJYlI5Qi9lYkVIcmt2R2dMOU4zNjJGQ1VMNzh4K0lNQ01yZVk3Q0lZV1hiYlBGL2lwWEZGT3pZRVV1REczWTEzTW1BYlhRRTlaZDFhakZzVXhLZjQ5c092ODJKOGF4VmZMWnZySWZ4ckpUUkhjTGZITXROcFQ3aHRUSTN3RCtmZlFqcmFQWUFlSmdjWXlqa1hha0RrNm9HTi95bnJ0aGJlMk1ZS05CMmlsUlJQYUFwLzd5K3VOTnlEUHNZNERuRUlvQXhJMW9ZQ0RuV3lYeE5ya0dFRzRtOGRaYlJ5MzdRY1IvSUxSU1c0UnRJRDl3V2JZV3dJVlNxVnQ2V0pQaXljTnpVVG1UWWY5eUVHK3NUZTV6U1lza0ZXVzZJREpNTzV6RThTM0o5LzJmMlVSUWR0NlRiZE5vM0ZSTDJXRUtrVzV2aU5Ja1pkaUFsMldvMUFrMW14dXd1cXJwdHJib1g4UG5oandVYkhLMnVISHdvVXl2REpNRHdqby9Vc2k0Qk94aHBMNWpIaHJ5U1gxVENpemc1TGRMaGdubjdrZ0ZCMG9YaEhaMHlHTnVyR1RjTG5WWnhLWXUzRnlONVBZVldlK1NTMUszVkRCT1dzRXY0R2lPZm1RSXp1NlgwNis5Z2lKVFpHVVg1N3lJRHYvUDkxSlR6K25uSkZmN0trZi9pL0pFM09tTHk2SWxUMllndTh2RTg3S0l3c0lkZHlZRDFoRERNVmI3SkJ0eTY3S2JvekJUUE5hV2NObGd5S084NXhNeWtQWkFNMGo5Qzl3SDNTSUZoSjVoWEhtaFBzYXhzdmlVTTlTNU5WNk1yTjA4aE5HbkJveXgwODk0RjhzTkxyaU1LM0w2N2pLRGNaRHMrTEpPaE82RGJEZENPYWhSRUUzMXRaQkxxdFc3clR6R3gvTEpDVHpLdWpkTm43M0JWRUZtTjNzcDFtNjc2WGcvU0k3YTRBYmFPeUhsQmpnVW8zaTlwWUtlR29iU1FyYTdvSXhzbnFPUW1SdTNzVnU2SFlFaVVCbitudi9UU2JyNVJ6TUxDYWpSNkNleEFNNWJ1bTkrczhKVU9GeHhXeVF6em9PcnQxaGxCWHkyV0lwdHd4eDhSTWZmc0lpb2RlWDNlQjlUNGtVVmdzcFNpRW51QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * Pe4N1Zayel6Rzk2K3U0S8wB
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\HvQEW_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .abaBBeAABc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjU5NC1NVnhRNzBHcm85K3F4Y0dvdTJYQnppQTZsSGJZbjBlSmJTcE5jSkZteUlGcjR5YlIwanZQMmdGRHFtMXVBYlJJeEZyNitodnAxSzNLa0VqekJQUVljVjBBNEhYdXk0U1M1VFR5ZGl0QjRORGNYeFFoZ2M5azhhTEtWWFdCamVtdDQxMFhCdGxTOUdPZ3ZiSWRUMUVQajg2OWVoNk9MVnA5eTRGVlQwYkVpb1JkSkh5TmxtR2Y1N1dOZ1RnU1MvWVdyRTgxVzgvZ2YyOFlOS3gzdm9DclNqclMvdUhMNWxsWXFrc2JqbEFHU0dHUVRsOS8vdHlaY04zMndSVEhPWjVQMHRYNGxVQnJCcm5lbmFpS2lSeWFsS3lCWExHNEJFcTNKdFpiK1BLSWw2M1JEKzlzeGtIdk5qMEhWbHZWR3hOMi9NRDZzcUw0M3EzdmhuMDVtdWRvMndxaDQ2ZWFMVGg4YUllN0VzVi80UG5GMzJRRzFhazk4NEhsUC9FYnBsRjY4V2VRTWlSdU0zN2ZTR0ZOZ3FSQVdKVGdENVNCYlRuLzBJTnh1OUhFUCtUK2J2d3d4aGVJNHE4dHNodE0vaTZlK3J6emIzOFdiS1g4N3JxN2ZTU1hWaHdxVWxNRkZiMmlVTW90dXhuNXFJTm9pT2oweFZNOCtZcFlCdUpWRWVHWHVQNjRib2loZjNvNm02QjJoWHl6bEJwYml1MmxkUG91NG5pcTVhcTZSK1FpeXBIY1cyUmFTWG94djlZTW1ucmRGamF1N292ZGhCS3JhUTVWWE8vU2g2NmI4czJYMFA2Z2I5N2g0TTU1dUtjd3RPVDJackZlL1l3YjJZUnFZM2lpdm9tb1ZyTWVzMGtEM2tIaHBMSUgrVCtsTndLbmNjZUNRZ3RPRmlzclpzSFROdDlRWHZwZXh6S3FBNndwU0d6bXQzUTYwc3kvdmFOMUNkbEh2dHBnZ054UDYvQnJnSXE2UnVPV0YycDlNNFhHQXFSRWduOHhNckFJYlI5Qi9lYkVIcmt2R2dMOU4zNjJGQ1VMNzh4K0lNQ01yZVk3Q0lZV1hiYlBGL2lwWEZGT3pZRVV1REczWTEzTW1BYlhRRTlaZDFhakZzVXhLZjQ5c092ODJKOGF4VmZMWnZySWZ4ckpUUkhjTGZITXROcFQ3aHRUSTN3RCtmZlFqcmFQWUFlSmdjWXlqa1hha0RrNm9HTi95bnJ0aGJlMk1ZS05CMmlsUlJQYUFwLzd5K3VOTnlEUHNZNERuRUlvQXhJMW9ZQ0RuV3lYeE5ya0dFRzRtOGRaYlJ5MzdRY1IvSUxSU1c0UnRJRDl3V2JZV3dJVlNxVnQ2V0pQaXljTnpVVG1UWWY5eUVHK3NUZTV6U1lza0ZXVzZJREpNTzV6RThTM0o5LzJmMlVSUWR0NlRiZE5vM0ZSTDJXRUtrVzV2aU5Ja1pkaUFsMldvMUFrMW14dXd1cXJwdHJib1g4UG5oandVYkhLMnVISHdvVXl2REpNRHdqby9Vc2k0Qk94aHBMNWpIaHJ5U1gxVENpemc1TGRMaGdubjdrZ0ZCMG9YaEhaMHlHTnVyR1RjTG5WWnhLWXUzRnlONVBZVldlK1NTMUszVkRCT1dzRXY0R2lPZm1RSXp1NlgwNis5Z2lKVFpHVVg1N3lJRHYvUDkxSlR6K25uSkZmN0trZi9pL0pFM09tTHk2SWxUMllndTh2RTg3S0l3c0lkZHlZRDFoRERNVmI3SkJ0eTY3S2JvekJUUE5hV2NObGd5S084NXhNeWtQWkFNMGo5Qzl3SDNTSUZoSjVoWEhtaFBzYXhzdmlVTTlTNU5WNk1yTjA4aE5HbkJveXgwODk0RjhzTkxyaU1LM0w2N2pLRGNaRHMrTEpPaE82RGJEZENPYWhSRUUzMXRaQkxxdFc3clR6R3gvTEpDVHpLdWpkTm43M0JWRUZtTjNzcDFtNjc2WGcvU0k3YTRBYmFPeUhsQmpnVW8zaTlwWUtlR29iU1FyYTdvSXhzbnFPUW1SdTNzVnU2SFlFaVVCbitudi9UU2JyNVJ6TUxDYWpSNkNleEFNNWJ1bTkrczhKVU9GeHhXeVF6em9PcnQxaGxCWHkyV0lwdHd4eDhSTWZmc0lpb2RlWDNlQjlUNGtVVmdzcFNpRW51QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * z
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\HvQEW_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .abaBBeAABc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjU5NC1NVnhRNzBHcm85K3F4Y0dvdTJYQnppQTZsSGJZbjBlSmJTcE5jSkZteUlGcjR5YlIwanZQMmdGRHFtMXVBYlJJeEZyNitodnAxSzNLa0VqekJQUVljVjBBNEhYdXk0U1M1VFR5ZGl0QjRORGNYeFFoZ2M5azhhTEtWWFdCamVtdDQxMFhCdGxTOUdPZ3ZiSWRUMUVQajg2OWVoNk9MVnA5eTRGVlQwYkVpb1JkSkh5TmxtR2Y1N1dOZ1RnU1MvWVdyRTgxVzgvZ2YyOFlOS3gzdm9DclNqclMvdUhMNWxsWXFrc2JqbEFHU0dHUVRsOS8vdHlaY04zMndSVEhPWjVQMHRYNGxVQnJCcm5lbmFpS2lSeWFsS3lCWExHNEJFcTNKdFpiK1BLSWw2M1JEKzlzeGtIdk5qMEhWbHZWR3hOMi9NRDZzcUw0M3EzdmhuMDVtdWRvMndxaDQ2ZWFMVGg4YUllN0VzVi80UG5GMzJRRzFhazk4NEhsUC9FYnBsRjY4V2VRTWlSdU0zN2ZTR0ZOZ3FSQVdKVGdENVNCYlRuLzBJTnh1OUhFUCtUK2J2d3d4aGVJNHE4dHNodE0vaTZlK3J6emIzOFdiS1g4N3JxN2ZTU1hWaHdxVWxNRkZiMmlVTW90dXhuNXFJTm9pT2oweFZNOCtZcFlCdUpWRWVHWHVQNjRib2loZjNvNm02QjJoWHl6bEJwYml1MmxkUG91NG5pcTVhcTZSK1FpeXBIY1cyUmFTWG94djlZTW1ucmRGamF1N292ZGhCS3JhUTVWWE8vU2g2NmI4czJYMFA2Z2I5N2g0TTU1dUtjd3RPVDJackZlL1l3YjJZUnFZM2lpdm9tb1ZyTWVzMGtEM2tIaHBMSUgrVCtsTndLbmNjZUNRZ3RPRmlzclpzSFROdDlRWHZwZXh6S3FBNndwU0d6bXQzUTYwc3kvdmFOMUNkbEh2dHBnZ054UDYvQnJnSXE2UnVPV0YycDlNNFhHQXFSRWduOHhNckFJYlI5Qi9lYkVIcmt2R2dMOU4zNjJGQ1VMNzh4K0lNQ01yZVk3Q0lZV1hiYlBGL2lwWEZGT3pZRVV1REczWTEzTW1BYlhRRTlaZDFhakZzVXhLZjQ5c092ODJKOGF4VmZMWnZySWZ4ckpUUkhjTGZITXROcFQ3aHRUSTN3RCtmZlFqcmFQWUFlSmdjWXlqa1hha0RrNm9HTi95bnJ0aGJlMk1ZS05CMmlsUlJQYUFwLzd5K3VOTnlEUHNZNERuRUlvQXhJMW9ZQ0RuV3lYeE5ya0dFRzRtOGRaYlJ5MzdRY1IvSUxSU1c0UnRJRDl3V2JZV3dJVlNxVnQ2V0pQaXljTnpVVG1UWWY5eUVHK3NUZTV6U1lza0ZXVzZJREpNTzV6RThTM0o5LzJmMlVSUWR0NlRiZE5vM0ZSTDJXRUtrVzV2aU5Ja1pkaUFsMldvMUFrMW14dXd1cXJwdHJib1g4UG5oandVYkhLMnVISHdvVXl2REpNRHdqby9Vc2k0Qk94aHBMNWpIaHJ5U1gxVENpemc1TGRMaGdubjdrZ0ZCMG9YaEhaMHlHTnVyR1RjTG5WWnhLWXUzRnlONVBZVldlK1NTMUszVkRCT1dzRXY0R2lPZm1RSXp1NlgwNis5Z2lKVFpHVVg1N3lJRHYvUDkxSlR6K25uSkZmN0trZi9pL0pFM09tTHk2SWxUMllndTh2RTg3S0l3c0lkZHlZRDFoRERNVmI3SkJ0eTY3S2JvekJUUE5hV2NObGd5S084NXhNeWtQWkFNMGo5Qzl3SDNTSUZoSjVoWEhtaFBzYXhzdmlVTTlTNU5WNk1yTjA4aE5HbkJveXgwODk0RjhzTkxyaU1LM0w2N2pLRGNaRHMrTEpPaE82RGJEZENPYWhSRUUzMXRaQkxxdFc3clR6R3gvTEpDVHpLdWpkTm43M0JWRUZtTjNzcDFtNjc2WGcvU0k3YTRBYmFPeUhsQmpnVW8zaTlwWUtlR29iU1FyYTdvSXhzbnFPUW1SdTNzVnU2SFlFaVVCbitudi9UU2JyNVJ6TUxDYWpSNkNleEFNNWJ1bTkrczhKVU9GeHhXeVF6em9PcnQxaGxCWHkyV0lwdHd4eDhSTWZmc0lpb2RlWDNlQjlUNGtVVmdzcFNpRW51QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 8OHagyf5KzW4E6ouNYMB0mw0fLn5C
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\HvQEW_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .abaBBeAABc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjU5NC1NVnhRNzBHcm85K3F4Y0dvdTJYQnppQTZsSGJZbjBlSmJTcE5jSkZteUlGcjR5YlIwanZQMmdGRHFtMXVBYlJJeEZyNitodnAxSzNLa0VqekJQUVljVjBBNEhYdXk0U1M1VFR5ZGl0QjRORGNYeFFoZ2M5azhhTEtWWFdCamVtdDQxMFhCdGxTOUdPZ3ZiSWRUMUVQajg2OWVoNk9MVnA5eTRGVlQwYkVpb1JkSkh5TmxtR2Y1N1dOZ1RnU1MvWVdyRTgxVzgvZ2YyOFlOS3gzdm9DclNqclMvdUhMNWxsWXFrc2JqbEFHU0dHUVRsOS8vdHlaY04zMndSVEhPWjVQMHRYNGxVQnJCcm5lbmFpS2lSeWFsS3lCWExHNEJFcTNKdFpiK1BLSWw2M1JEKzlzeGtIdk5qMEhWbHZWR3hOMi9NRDZzcUw0M3EzdmhuMDVtdWRvMndxaDQ2ZWFMVGg4YUllN0VzVi80UG5GMzJRRzFhazk4NEhsUC9FYnBsRjY4V2VRTWlSdU0zN2ZTR0ZOZ3FSQVdKVGdENVNCYlRuLzBJTnh1OUhFUCtUK2J2d3d4aGVJNHE4dHNodE0vaTZlK3J6emIzOFdiS1g4N3JxN2ZTU1hWaHdxVWxNRkZiMmlVTW90dXhuNXFJTm9pT2oweFZNOCtZcFlCdUpWRWVHWHVQNjRib2loZjNvNm02QjJoWHl6bEJwYml1MmxkUG91NG5pcTVhcTZSK1FpeXBIY1cyUmFTWG94djlZTW1ucmRGamF1N292ZGhCS3JhUTVWWE8vU2g2NmI4czJYMFA2Z2I5N2g0TTU1dUtjd3RPVDJackZlL1l3YjJZUnFZM2lpdm9tb1ZyTWVzMGtEM2tIaHBMSUgrVCtsTndLbmNjZUNRZ3RPRmlzclpzSFROdDlRWHZwZXh6S3FBNndwU0d6bXQzUTYwc3kvdmFOMUNkbEh2dHBnZ054UDYvQnJnSXE2UnVPV0YycDlNNFhHQXFSRWduOHhNckFJYlI5Qi9lYkVIcmt2R2dMOU4zNjJGQ1VMNzh4K0lNQ01yZVk3Q0lZV1hiYlBGL2lwWEZGT3pZRVV1REczWTEzTW1BYlhRRTlaZDFhakZzVXhLZjQ5c092ODJKOGF4VmZMWnZySWZ4ckpUUkhjTGZITXROcFQ3aHRUSTN3RCtmZlFqcmFQWUFlSmdjWXlqa1hha0RrNm9HTi95bnJ0aGJlMk1ZS05CMmlsUlJQYUFwLzd5K3VOTnlEUHNZNERuRUlvQXhJMW9ZQ0RuV3lYeE5ya0dFRzRtOGRaYlJ5MzdRY1IvSUxSU1c0UnRJRDl3V2JZV3dJVlNxVnQ2V0pQaXljTnpVVG1UWWY5eUVHK3NUZTV6U1lza0ZXVzZJREpNTzV6RThTM0o5LzJmMlVSUWR0NlRiZE5vM0ZSTDJXRUtrVzV2aU5Ja1pkaUFsMldvMUFrMW14dXd1cXJwdHJib1g4UG5oandVYkhLMnVISHdvVXl2REpNRHdqby9Vc2k0Qk94aHBMNWpIaHJ5U1gxVENpemc1TGRMaGdubjdrZ0ZCMG9YaEhaMHlHTnVyR1RjTG5WWnhLWXUzRnlONVBZVldlK1NTMUszVkRCT1dzRXY0R2lPZm1RSXp1NlgwNis5Z2lKVFpHVVg1N3lJRHYvUDkxSlR6K25uSkZmN0trZi9pL0pFM09tTHk2SWxUMllndTh2RTg3S0l3c0lkZHlZRDFoRERNVmI3SkJ0eTY3S2JvekJUUE5hV2NObGd5S084NXhNeWtQWkFNMGo5Qzl3SDNTSUZoSjVoWEhtaFBzYXhzdmlVTTlTNU5WNk1yTjA4aE5HbkJveXgwODk0RjhzTkxyaU1LM0w2N2pLRGNaRHMrTEpPaE82RGJEZENPYWhSRUUzMXRaQkxxdFc3clR6R3gvTEpDVHpLdWpkTm43M0JWRUZtTjNzcDFtNjc2WGcvU0k3YTRBYmFPeUhsQmpnVW8zaTlwWUtlR29iU1FyYTdvSXhzbnFPUW1SdTNzVnU2SFlFaVVCbitudi9UU2JyNVJ6TUxDYWpSNkNleEFNNWJ1bTkrczhKVU9GeHhXeVF6em9PcnQxaGxCWHkyV0lwdHd4eDhSTWZmc0lpb2RlWDNlQjlUNGtVVmdzcFNpRW51QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * u1ntqSbd134v3j
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\HvQEW_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .abaBBeAABc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjU5NC1NVnhRNzBHcm85K3F4Y0dvdTJYQnppQTZsSGJZbjBlSmJTcE5jSkZteUlGcjR5YlIwanZQMmdGRHFtMXVBYlJJeEZyNitodnAxSzNLa0VqekJQUVljVjBBNEhYdXk0U1M1VFR5ZGl0QjRORGNYeFFoZ2M5azhhTEtWWFdCamVtdDQxMFhCdGxTOUdPZ3ZiSWRUMUVQajg2OWVoNk9MVnA5eTRGVlQwYkVpb1JkSkh5TmxtR2Y1N1dOZ1RnU1MvWVdyRTgxVzgvZ2YyOFlOS3gzdm9DclNqclMvdUhMNWxsWXFrc2JqbEFHU0dHUVRsOS8vdHlaY04zMndSVEhPWjVQMHRYNGxVQnJCcm5lbmFpS2lSeWFsS3lCWExHNEJFcTNKdFpiK1BLSWw2M1JEKzlzeGtIdk5qMEhWbHZWR3hOMi9NRDZzcUw0M3EzdmhuMDVtdWRvMndxaDQ2ZWFMVGg4YUllN0VzVi80UG5GMzJRRzFhazk4NEhsUC9FYnBsRjY4V2VRTWlSdU0zN2ZTR0ZOZ3FSQVdKVGdENVNCYlRuLzBJTnh1OUhFUCtUK2J2d3d4aGVJNHE4dHNodE0vaTZlK3J6emIzOFdiS1g4N3JxN2ZTU1hWaHdxVWxNRkZiMmlVTW90dXhuNXFJTm9pT2oweFZNOCtZcFlCdUpWRWVHWHVQNjRib2loZjNvNm02QjJoWHl6bEJwYml1MmxkUG91NG5pcTVhcTZSK1FpeXBIY1cyUmFTWG94djlZTW1ucmRGamF1N292ZGhCS3JhUTVWWE8vU2g2NmI4czJYMFA2Z2I5N2g0TTU1dUtjd3RPVDJackZlL1l3YjJZUnFZM2lpdm9tb1ZyTWVzMGtEM2tIaHBMSUgrVCtsTndLbmNjZUNRZ3RPRmlzclpzSFROdDlRWHZwZXh6S3FBNndwU0d6bXQzUTYwc3kvdmFOMUNkbEh2dHBnZ054UDYvQnJnSXE2UnVPV0YycDlNNFhHQXFSRWduOHhNckFJYlI5Qi9lYkVIcmt2R2dMOU4zNjJGQ1VMNzh4K0lNQ01yZVk3Q0lZV1hiYlBGL2lwWEZGT3pZRVV1REczWTEzTW1BYlhRRTlaZDFhakZzVXhLZjQ5c092ODJKOGF4VmZMWnZySWZ4ckpUUkhjTGZITXROcFQ3aHRUSTN3RCtmZlFqcmFQWUFlSmdjWXlqa1hha0RrNm9HTi95bnJ0aGJlMk1ZS05CMmlsUlJQYUFwLzd5K3VOTnlEUHNZNERuRUlvQXhJMW9ZQ0RuV3lYeE5ya0dFRzRtOGRaYlJ5MzdRY1IvSUxSU1c0UnRJRDl3V2JZV3dJVlNxVnQ2V0pQaXljTnpVVG1UWWY5eUVHK3NUZTV6U1lza0ZXVzZJREpNTzV6RThTM0o5LzJmMlVSUWR0NlRiZE5vM0ZSTDJXRUtrVzV2aU5Ja1pkaUFsMldvMUFrMW14dXd1cXJwdHJib1g4UG5oandVYkhLMnVISHdvVXl2REpNRHdqby9Vc2k0Qk94aHBMNWpIaHJ5U1gxVENpemc1TGRMaGdubjdrZ0ZCMG9YaEhaMHlHTnVyR1RjTG5WWnhLWXUzRnlONVBZVldlK1NTMUszVkRCT1dzRXY0R2lPZm1RSXp1NlgwNis5Z2lKVFpHVVg1N3lJRHYvUDkxSlR6K25uSkZmN0trZi9pL0pFM09tTHk2SWxUMllndTh2RTg3S0l3c0lkZHlZRDFoRERNVmI3SkJ0eTY3S2JvekJUUE5hV2NObGd5S084NXhNeWtQWkFNMGo5Qzl3SDNTSUZoSjVoWEhtaFBzYXhzdmlVTTlTNU5WNk1yTjA4aE5HbkJveXgwODk0RjhzTkxyaU1LM0w2N2pLRGNaRHMrTEpPaE82RGJEZENPYWhSRUUzMXRaQkxxdFc3clR6R3gvTEpDVHpLdWpkTm43M0JWRUZtTjNzcDFtNjc2WGcvU0k3YTRBYmFPeUhsQmpnVW8zaTlwWUtlR29iU1FyYTdvSXhzbnFPUW1SdTNzVnU2SFlFaVVCbitudi9UU2JyNVJ6TUxDYWpSNkNleEFNNWJ1bTkrczhKVU9GeHhXeVF6em9PcnQxaGxCWHkyV0lwdHd4eDhSTWZmc0lpb2RlWDNlQjlUNGtVVmdzcFNpRW51QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * q0iJBGkstWugXS3iQmciAH9jQQM
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\HvQEW_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .abaBBeAABc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjU5NC1NVnhRNzBHcm85K3F4Y0dvdTJYQnppQTZsSGJZbjBlSmJTcE5jSkZteUlGcjR5YlIwanZQMmdGRHFtMXVBYlJJeEZyNitodnAxSzNLa0VqekJQUVljVjBBNEhYdXk0U1M1VFR5ZGl0QjRORGNYeFFoZ2M5azhhTEtWWFdCamVtdDQxMFhCdGxTOUdPZ3ZiSWRUMUVQajg2OWVoNk9MVnA5eTRGVlQwYkVpb1JkSkh5TmxtR2Y1N1dOZ1RnU1MvWVdyRTgxVzgvZ2YyOFlOS3gzdm9DclNqclMvdUhMNWxsWXFrc2JqbEFHU0dHUVRsOS8vdHlaY04zMndSVEhPWjVQMHRYNGxVQnJCcm5lbmFpS2lSeWFsS3lCWExHNEJFcTNKdFpiK1BLSWw2M1JEKzlzeGtIdk5qMEhWbHZWR3hOMi9NRDZzcUw0M3EzdmhuMDVtdWRvMndxaDQ2ZWFMVGg4YUllN0VzVi80UG5GMzJRRzFhazk4NEhsUC9FYnBsRjY4V2VRTWlSdU0zN2ZTR0ZOZ3FSQVdKVGdENVNCYlRuLzBJTnh1OUhFUCtUK2J2d3d4aGVJNHE4dHNodE0vaTZlK3J6emIzOFdiS1g4N3JxN2ZTU1hWaHdxVWxNRkZiMmlVTW90dXhuNXFJTm9pT2oweFZNOCtZcFlCdUpWRWVHWHVQNjRib2loZjNvNm02QjJoWHl6bEJwYml1MmxkUG91NG5pcTVhcTZSK1FpeXBIY1cyUmFTWG94djlZTW1ucmRGamF1N292ZGhCS3JhUTVWWE8vU2g2NmI4czJYMFA2Z2I5N2g0TTU1dUtjd3RPVDJackZlL1l3YjJZUnFZM2lpdm9tb1ZyTWVzMGtEM2tIaHBMSUgrVCtsTndLbmNjZUNRZ3RPRmlzclpzSFROdDlRWHZwZXh6S3FBNndwU0d6bXQzUTYwc3kvdmFOMUNkbEh2dHBnZ054UDYvQnJnSXE2UnVPV0YycDlNNFhHQXFSRWduOHhNckFJYlI5Qi9lYkVIcmt2R2dMOU4zNjJGQ1VMNzh4K0lNQ01yZVk3Q0lZV1hiYlBGL2lwWEZGT3pZRVV1REczWTEzTW1BYlhRRTlaZDFhakZzVXhLZjQ5c092ODJKOGF4VmZMWnZySWZ4ckpUUkhjTGZITXROcFQ3aHRUSTN3RCtmZlFqcmFQWUFlSmdjWXlqa1hha0RrNm9HTi95bnJ0aGJlMk1ZS05CMmlsUlJQYUFwLzd5K3VOTnlEUHNZNERuRUlvQXhJMW9ZQ0RuV3lYeE5ya0dFRzRtOGRaYlJ5MzdRY1IvSUxSU1c0UnRJRDl3V2JZV3dJVlNxVnQ2V0pQaXljTnpVVG1UWWY5eUVHK3NUZTV6U1lza0ZXVzZJREpNTzV6RThTM0o5LzJmMlVSUWR0NlRiZE5vM0ZSTDJXRUtrVzV2aU5Ja1pkaUFsMldvMUFrMW14dXd1cXJwdHJib1g4UG5oandVYkhLMnVISHdvVXl2REpNRHdqby9Vc2k0Qk94aHBMNWpIaHJ5U1gxVENpemc1TGRMaGdubjdrZ0ZCMG9YaEhaMHlHTnVyR1RjTG5WWnhLWXUzRnlONVBZVldlK1NTMUszVkRCT1dzRXY0R2lPZm1RSXp1NlgwNis5Z2lKVFpHVVg1N3lJRHYvUDkxSlR6K25uSkZmN0trZi9pL0pFM09tTHk2SWxUMllndTh2RTg3S0l3c0lkZHlZRDFoRERNVmI3SkJ0eTY3S2JvekJUUE5hV2NObGd5S084NXhNeWtQWkFNMGo5Qzl3SDNTSUZoSjVoWEhtaFBzYXhzdmlVTTlTNU5WNk1yTjA4aE5HbkJveXgwODk0RjhzTkxyaU1LM0w2N2pLRGNaRHMrTEpPaE82RGJEZENPYWhSRUUzMXRaQkxxdFc3clR6R3gvTEpDVHpLdWpkTm43M0JWRUZtTjNzcDFtNjc2WGcvU0k3YTRBYmFPeUhsQmpnVW8zaTlwWUtlR29iU1FyYTdvSXhzbnFPUW1SdTNzVnU2SFlFaVVCbitudi9UU2JyNVJ6TUxDYWpSNkNleEFNNWJ1bTkrczhKVU9GeHhXeVF6em9PcnQxaGxCWHkyV0lwdHd4eDhSTWZmc0lpb2RlWDNlQjlUNGtVVmdzcFNpRW51QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * GVAG04P6
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\HvQEW_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .abaBBeAABc You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjU5NC1NVnhRNzBHcm85K3F4Y0dvdTJYQnppQTZsSGJZbjBlSmJTcE5jSkZteUlGcjR5YlIwanZQMmdGRHFtMXVBYlJJeEZyNitodnAxSzNLa0VqekJQUVljVjBBNEhYdXk0U1M1VFR5ZGl0QjRORGNYeFFoZ2M5azhhTEtWWFdCamVtdDQxMFhCdGxTOUdPZ3ZiSWRUMUVQajg2OWVoNk9MVnA5eTRGVlQwYkVpb1JkSkh5TmxtR2Y1N1dOZ1RnU1MvWVdyRTgxVzgvZ2YyOFlOS3gzdm9DclNqclMvdUhMNWxsWXFrc2JqbEFHU0dHUVRsOS8vdHlaY04zMndSVEhPWjVQMHRYNGxVQnJCcm5lbmFpS2lSeWFsS3lCWExHNEJFcTNKdFpiK1BLSWw2M1JEKzlzeGtIdk5qMEhWbHZWR3hOMi9NRDZzcUw0M3EzdmhuMDVtdWRvMndxaDQ2ZWFMVGg4YUllN0VzVi80UG5GMzJRRzFhazk4NEhsUC9FYnBsRjY4V2VRTWlSdU0zN2ZTR0ZOZ3FSQVdKVGdENVNCYlRuLzBJTnh1OUhFUCtUK2J2d3d4aGVJNHE4dHNodE0vaTZlK3J6emIzOFdiS1g4N3JxN2ZTU1hWaHdxVWxNRkZiMmlVTW90dXhuNXFJTm9pT2oweFZNOCtZcFlCdUpWRWVHWHVQNjRib2loZjNvNm02QjJoWHl6bEJwYml1MmxkUG91NG5pcTVhcTZSK1FpeXBIY1cyUmFTWG94djlZTW1ucmRGamF1N292ZGhCS3JhUTVWWE8vU2g2NmI4czJYMFA2Z2I5N2g0TTU1dUtjd3RPVDJackZlL1l3YjJZUnFZM2lpdm9tb1ZyTWVzMGtEM2tIaHBMSUgrVCtsTndLbmNjZUNRZ3RPRmlzclpzSFROdDlRWHZwZXh6S3FBNndwU0d6bXQzUTYwc3kvdmFOMUNkbEh2dHBnZ054UDYvQnJnSXE2UnVPV0YycDlNNFhHQXFSRWduOHhNckFJYlI5Qi9lYkVIcmt2R2dMOU4zNjJGQ1VMNzh4K0lNQ01yZVk3Q0lZV1hiYlBGL2lwWEZGT3pZRVV1REczWTEzTW1BYlhRRTlaZDFhakZzVXhLZjQ5c092ODJKOGF4VmZMWnZySWZ4ckpUUkhjTGZITXROcFQ3aHRUSTN3RCtmZlFqcmFQWUFlSmdjWXlqa1hha0RrNm9HTi95bnJ0aGJlMk1ZS05CMmlsUlJQYUFwLzd5K3VOTnlEUHNZNERuRUlvQXhJMW9ZQ0RuV3lYeE5ya0dFRzRtOGRaYlJ5MzdRY1IvSUxSU1c0UnRJRDl3V2JZV3dJVlNxVnQ2V0pQaXljTnpVVG1UWWY5eUVHK3NUZTV6U1lza0ZXVzZJREpNTzV6RThTM0o5LzJmMlVSUWR0NlRiZE5vM0ZSTDJXRUtrVzV2aU5Ja1pkaUFsMldvMUFrMW14dXd1cXJwdHJib1g4UG5oandVYkhLMnVISHdvVXl2REpNRHdqby9Vc2k0Qk94aHBMNWpIaHJ5U1gxVENpemc1TGRMaGdubjdrZ0ZCMG9YaEhaMHlHTnVyR1RjTG5WWnhLWXUzRnlONVBZVldlK1NTMUszVkRCT1dzRXY0R2lPZm1RSXp1NlgwNis5Z2lKVFpHVVg1N3lJRHYvUDkxSlR6K25uSkZmN0trZi9pL0pFM09tTHk2SWxUMllndTh2RTg3S0l3c0lkZHlZRDFoRERNVmI3SkJ0eTY3S2JvekJUUE5hV2NObGd5S084NXhNeWtQWkFNMGo5Qzl3SDNTSUZoSjVoWEhtaFBzYXhzdmlVTTlTNU5WNk1yTjA4aE5HbkJveXgwODk0RjhzTkxyaU1LM0w2N2pLRGNaRHMrTEpPaE82RGJEZENPYWhSRUUzMXRaQkxxdFc3clR6R3gvTEpDVHpLdWpkTm43M0JWRUZtTjNzcDFtNjc2WGcvU0k3YTRBYmFPeUhsQmpnVW8zaTlwWUtlR29iU1FyYTdvSXhzbnFPUW1SdTNzVnU2SFlFaVVCbitudi9UU2JyNVJ6TUxDYWpSNkNleEFNNWJ1bTkrczhKVU9GeHhXeVF6em9PcnQxaGxCWHkyV0lwdHd4eDhSTWZmc0lpb2RlWDNlQjlUNGtVVmdzcFNpRW51QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * kMtmpxuF8HjQaea6KaDzCde0OMNWJrN
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (161) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
    "C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1800
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:4440
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:4036
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:2984
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:1652
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:1280
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:2672
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:2040
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
            1⤵
            • Executes dropped EXE
            PID:3112

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          2
          T1112

          Indicator Removal

          1
          T1070

          File Deletion

          1
          T1070.004

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          Impact

          Inhibit System Recovery

          1
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\HvQEW_readme_.txt
            Filesize

            3KB

            MD5

            34b14b49181ad24018960171f12af755

            SHA1

            768d79715d51a8dd7e873d8250a35e276f9fd857

            SHA256

            0894aa873b979a61c9ca8ba2f03a5bd812d1b5a8bff4afd802e58cda17f919d9

            SHA512

            0c4efbe1c9d05ae3bd0bbd3db73e9a5d22b648e0d41eef9d5e317252bd554975d838800314f20e97dd560c5e5b673f292f64f8c74e2f48969a17cb3be92a4061

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
            Filesize

            775KB

            MD5

            7fc5a1aafb84705745dba65e2a178217

            SHA1

            0825e3b2115c9053563a307402e32d28056223a7

            SHA256

            2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a

            SHA512

            b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2

          • C:\Users\Admin\Desktop\HvQEW_readme_.txt
            Filesize

            3KB

            MD5

            babe3f8b201410fdf88449b5fb730df3

            SHA1

            72214a8d729c62974aefde55857ac997f69c3657

            SHA256

            db6c2f3dd836ac9f328a37624a24c4161746b4d7618497ce135620d65d7f1474

            SHA512

            a7ab2565ffa5ed2d9126511149a2fac881967152f81848c8a2f8c849e53118d2d7f1d7acd704c2e4ea197634f30de604eff2b2f196355073a696bf2b75b32ba1

          • C:\Users\Admin\Documents\HvQEW_readme_.txt
            Filesize

            3KB

            MD5

            df891e75fa75c7929ac20e4c2d007acf

            SHA1

            1697f9bf909d1718c1648a5e190dd809fe31f385

            SHA256

            b4f110795d45f61ef36d55274080eee1de2d876cfc99d394e57adf9a8e0131d2

            SHA512

            9b39d41ebb3ce85a624c779065ab6b11aa624bf2bbee1b16d93ca21521ef7172865dab0bd93efbffd66dbf9c02550497e7e4a4788a2de13a3aad088cbcecdae6

          • C:\Users\Admin\Documents\HvQEW_readme_.txt
            Filesize

            3KB

            MD5

            b19661ca55a40cf0a18f6ec124c59553

            SHA1

            6954e9c666e904601f916c5375d79aa2c7dc6891

            SHA256

            f78a0f1e572a75a6c354fa831f058e7d14e5f4a9742d32a3a9ec0c8787bfe30f

            SHA512

            113e05f423290e67431b2dc2435b496eef2496e77744baf8604d5f46a6f21694eb1886bf7e92fef9366c35ed7af306598030f6fbda0b8a05292707914721de75

          • C:\Users\Admin\Downloads\HvQEW_readme_.txt
            Filesize

            3KB

            MD5

            3d5c8a685abc1a8ccdeeeb02d95b74b5

            SHA1

            463cb0048fb96a6ac85f1d0b595631739885ef27

            SHA256

            0468301bfc918239137457b261ed86ab62a13aef9d6408314d4473d05548d652

            SHA512

            49e555f6fe6e542b52fef261ccff6fa3ec0e80d5663ea44dd4806c82b43ccff705011b6395afa16bb11ff54e40b56f7ce441e479c88e43730556e36708ab518e

          • C:\Users\Admin\Music\HvQEW_readme_.txt
            Filesize

            3KB

            MD5

            52a2c7c007219b7dcd315d10d390a57b

            SHA1

            b29da740a53c88de05c97e4d8ce60cdf6a1c2c1f

            SHA256

            cad50eba719ccbc8fbd2fd6abfd96d94eab0b7491513cd1dd26ba3650e8ffb2e

            SHA512

            5eca9350c57c692d05d07b66ef5c17752b847dffb382e634c34fc20489f68df12f075c59002ab10b27843e1c2cb8f0211a9e777fac94baddb0f867733fb0e33a

          • C:\Users\Admin\Pictures\HvQEW_readme_.txt
            Filesize

            3KB

            MD5

            7fc2bdee0b5116623e21150a840fb924

            SHA1

            af88afc55fc336ac5730c30ab0e9f777d86ae793

            SHA256

            9e4ab18e7f0a308a2f54d18d3c4787f77f91fbe792ba4ea058644d36b57c0c16

            SHA512

            2d126289c6fdd5a690bba41e9daf6aff9867bec43d2c2c51dd8ccfce591d2def6c97374df0142102cf815458980f07ef53539c609c8f7b3395c54fbf1155b8eb