Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 10:08
Behavioral task
behavioral1
Sample
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
Resource
win10v2004-20240226-en
General
-
Target
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe
-
Size
775KB
-
MD5
2d2a5a22bc983829cfb4627a271fbd4e
-
SHA1
c0fc01350ae774f3817d71710d9a6e9adaba441f
-
SHA256
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
-
SHA512
8237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d
-
SSDEEP
24576:+Csq9+OXLpMePfI8TgmBTCDqEbOpPtpFaoxfq:YxOXLpMePfzVTCD7gPtLa4fq
Malware Config
Extracted
C:\Users\Admin\Desktop\0POdn2O_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\0POdn2O_readme_.txt
avaddon
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe family_avaddon -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2512 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2512 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 2512 wmic.exe -
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exepid process 1164 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription ioc process File opened (read-only) \??\P: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\U: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\L: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\O: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\J: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\K: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\M: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\N: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\R: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\Y: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\E: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\G: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\Q: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\T: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\A: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\H: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\S: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\V: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\W: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\X: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\Z: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\F: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\B: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe File opened (read-only) \??\I: 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exepid process 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1492 wmic.exe Token: SeSecurityPrivilege 1492 wmic.exe Token: SeTakeOwnershipPrivilege 1492 wmic.exe Token: SeLoadDriverPrivilege 1492 wmic.exe Token: SeSystemProfilePrivilege 1492 wmic.exe Token: SeSystemtimePrivilege 1492 wmic.exe Token: SeProfSingleProcessPrivilege 1492 wmic.exe Token: SeIncBasePriorityPrivilege 1492 wmic.exe Token: SeCreatePagefilePrivilege 1492 wmic.exe Token: SeBackupPrivilege 1492 wmic.exe Token: SeRestorePrivilege 1492 wmic.exe Token: SeShutdownPrivilege 1492 wmic.exe Token: SeDebugPrivilege 1492 wmic.exe Token: SeSystemEnvironmentPrivilege 1492 wmic.exe Token: SeRemoteShutdownPrivilege 1492 wmic.exe Token: SeUndockPrivilege 1492 wmic.exe Token: SeManageVolumePrivilege 1492 wmic.exe Token: 33 1492 wmic.exe Token: 34 1492 wmic.exe Token: 35 1492 wmic.exe Token: 36 1492 wmic.exe Token: SeIncreaseQuotaPrivilege 2288 wmic.exe Token: SeSecurityPrivilege 2288 wmic.exe Token: SeTakeOwnershipPrivilege 2288 wmic.exe Token: SeLoadDriverPrivilege 2288 wmic.exe Token: SeSystemProfilePrivilege 2288 wmic.exe Token: SeSystemtimePrivilege 2288 wmic.exe Token: SeProfSingleProcessPrivilege 2288 wmic.exe Token: SeIncBasePriorityPrivilege 2288 wmic.exe Token: SeCreatePagefilePrivilege 2288 wmic.exe Token: SeBackupPrivilege 2288 wmic.exe Token: SeRestorePrivilege 2288 wmic.exe Token: SeShutdownPrivilege 2288 wmic.exe Token: SeDebugPrivilege 2288 wmic.exe Token: SeSystemEnvironmentPrivilege 2288 wmic.exe Token: SeRemoteShutdownPrivilege 2288 wmic.exe Token: SeUndockPrivilege 2288 wmic.exe Token: SeManageVolumePrivilege 2288 wmic.exe Token: 33 2288 wmic.exe Token: 34 2288 wmic.exe Token: 35 2288 wmic.exe Token: 36 2288 wmic.exe Token: SeIncreaseQuotaPrivilege 3084 wmic.exe Token: SeSecurityPrivilege 3084 wmic.exe Token: SeTakeOwnershipPrivilege 3084 wmic.exe Token: SeLoadDriverPrivilege 3084 wmic.exe Token: SeSystemProfilePrivilege 3084 wmic.exe Token: SeSystemtimePrivilege 3084 wmic.exe Token: SeProfSingleProcessPrivilege 3084 wmic.exe Token: SeIncBasePriorityPrivilege 3084 wmic.exe Token: SeCreatePagefilePrivilege 3084 wmic.exe Token: SeBackupPrivilege 3084 wmic.exe Token: SeRestorePrivilege 3084 wmic.exe Token: SeShutdownPrivilege 3084 wmic.exe Token: SeDebugPrivilege 3084 wmic.exe Token: SeSystemEnvironmentPrivilege 3084 wmic.exe Token: SeRemoteShutdownPrivilege 3084 wmic.exe Token: SeUndockPrivilege 3084 wmic.exe Token: SeManageVolumePrivilege 3084 wmic.exe Token: 33 3084 wmic.exe Token: 34 3084 wmic.exe Token: 35 3084 wmic.exe Token: 36 3084 wmic.exe Token: SeIncreaseQuotaPrivilege 60 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription pid process target process PID 3560 wrote to memory of 60 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 3560 wrote to memory of 60 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 3560 wrote to memory of 60 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 3560 wrote to memory of 1160 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 3560 wrote to memory of 1160 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 3560 wrote to memory of 1160 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 3560 wrote to memory of 3968 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 3560 wrote to memory of 3968 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe PID 3560 wrote to memory of 3968 3560 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe wmic.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe"C:\Users\Admin\AppData\Local\Temp\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Indicator Removal
1File Deletion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b.exeFilesize
775KB
MD52d2a5a22bc983829cfb4627a271fbd4e
SHA1c0fc01350ae774f3817d71710d9a6e9adaba441f
SHA2560ff4058f709d278ed662719b9627618c48e7a656c59f6bfecda9081c7cbd742b
SHA5128237f6db84a2339827e4044929df58597733d04f8e56c621394f2c2b79c06dc9fb3e64373d0205c0f14372173875b2487d178472eda6837da2ef20187285ad0d
-
C:\Users\Admin\Desktop\0POdn2O_readme_.txtFilesize
3KB
MD56b827c05c107ef9c0c0aaee753703508
SHA1cf7f76a95394b24cbb480ea25f1427b187f82a31
SHA256d7e95ea73fa3632141ada018361e9b96b13d5e520a8695b1a06b74dc37f1ef39
SHA512f0b86d584cd2318c34b960a786de6e31b91242d66de67ada1df38a4d300fa6d8b05c44d01dcfc9fa15b9750085535533cb30141edaebd84dbcf662503acb9d6b
-
C:\Users\Admin\Documents\0POdn2O_readme_.txtFilesize
3KB
MD528b86020602aae3ee4f661699440e2c2
SHA145d3833411cf068b20745c0c75da96d69ed67fb8
SHA2568911d45c8b9101283edec72e264da4396c526d23462a02de04099d1591a9dc7e
SHA5124bfc5d329a7719f2be3ea635bad3b7515f024548f6a7ec2237777994683fa61db5656ead1e1b2b64188368e8247e98530ad97d6547cc4e23746d1d8643006c85