Analysis

  • max time kernel
    160s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:08

General

  • Target

    48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe

  • Size

    775KB

  • MD5

    117da2dd6fa24616f63eb43d5a15e5d3

  • SHA1

    b4d70eecdef52ceef15f04a025d1ab08f193fb97

  • SHA256

    48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

  • SHA512

    de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

  • SSDEEP

    24576:TCsQ9+OXLpMePfI8TgmBTCDqEbOpPtpFhAxfq:5HOXLpMePfzVTCD7gPtLhQfq

Malware Config

Extracted

Path

C:\Users\Admin\Documents\tZHda_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBDdcADECE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1seTdVQk0wa0ovRDh2TGtMMklSdmo1MktiSzB2NVo5QzBpbkcyTFByaFkybGN4a3V1VFZCdUhPNDdhWkJhZy95VEhUNzBMRmZUeTJLV3pPYVpIUzRzUmpEcWlDTkJOTzJkeGIrUWxBS1IxcURkblhQamdGUXpBajQwd1BsWDZMbEF6NEU2eTZNUjBESFdkOXgyZWsyMTJZeWtMVHZRYTdOVlpyaHVBZXFGdGlMMzY5YTVhR2dURkNSR3JlTXZXV2s5Y2FjaXNLSGVLczhmb01VOFl5R1N5Q2tEbHRXbTBkREZGKzllNFZBZzZxaGJWNU11Z001Vk9NZHNkR0JqdE90SHRRTmNYRHpsMUwrNjZHeXdPQ2xDUUpUYkxiNkFNNWxpVm9HZlo4TTgreDA2N0dUT3UzWFpuTEhSUHJaNTJMN1BSd2kyOU5CU01GNEJWQVJ6MkNpODdQam1sZWQzOTdEK1R3akM1MXcrd2p0K3BpbkVXbGxRRWFoejV6blZnQUlXbzF0VkZUbStIMmdJTVFMM2ZEUUdIbDI3eUZOYzQ3S2dZSnNrVzdRa2tuclZlMnp3SW8wb2Zsb0hwMVlXMHZybmxKMnU2R2F1bmVxN3Vub3Uzd1ZyQitYUzF3Tm9aNHZ1Wnk4YUxoeGQ5endoQk9zTUxGZzl4Y29MZzlnK05zLzBCUFZTbkFYYnhmWmNTbFE2d0tYNFpzSmcvdjNDZUs1cFRTNjZpQm9adUNBMnBTL3BPMG5Gblc0bTBEVTNQUXV4dVJVa2ZCUWNKY1BWUHpwOWtGK0I2cFJnY2pUV3J2bEdEV292NzE3bW1OOUpsYkRUUzVYTzJlWHBmZm1nYnNsZFRFTWdQZ2o5SVhrR0xwb1R5am1ib1V1N0ZqRWtkakNmRGd5dHY3UHlvUTJRaVZCNytuUGQ1WWkydFdaQ29VaE4wUEpHd2h5dkpLRGxIN2FhZnYwdElwVElCbmlORXQ3VDg1bVZXV3pvRVQrQmllZ0djd0hKVUNrM0V5ZFMrTmgzU01BMGE3ZkNiajk1S09FM3Y2T1JnNU4wM2t4VTFwb01qK2I1alNqdi84ZWJ2L1pIcjlyS1RrYzJGMVFlbWxTMkdDdXllc2prS29TZ1c1T0tmKzR4ZHNqbTVwdU44MHYzNGNyaXkzdmVBMXVIVVIwR0lEcHF0akxTMkkwNW9zUjRsWXV3bnNJRExmWUdhNHRLZTI0Z2ZCWlpaVFhENHl1WjlHNDd6dno5ZVZEWUZpbW5sd09XTlBweVVZcFJBdDhYL2ljWWNVTHIwSW1aZGRhTDE4Z3hyTEtFOEluUFVxbEpBWC95cEI1eThCaDJ1cnM1b0FwRTE5VUFueWhnSXVuWjhKbFRWaVV6OEdINmVFcWZnQjBNaExtdFk3ckdvV3UwNWxiOFdWR0ZsVFcxYkRIU1RNc0o3bnI1TlhNekNEZEhMNlVXenFsbmE0RlVtRmlHZTdBTEV0eUE0M1MrcEdacVEveTF2NE91Q3MyczFLcUdtUlVNVGs3cXNzTFIyQ2pCNHVOdkVjRUlWZFQ0dXpjYkRzQkFCYUlSNU15d1RaL1cxRzNsQWNLc3cvKzdNWm1kYmF3RDVQaFBtdTV0S0xHd0RkVk12Ym4rTXVZcGFBUGdlWjk1UUZHdXVtTDZkWjVLWS9QQ1MzeGRtZEEweXVvR0hrd3UzbVJBU1lBQWhlVmdyRk12RGdPbktrR1QrcVhYY0RQZVFjOVNna0VRV1h3QWpWRUlLaHJvTFdqdlNuMEF0SjRsTm5KbEt4S1lJODUyZncyaGlLbXhsWmV6amxZZFRsRjJ0ekxhSUNmaTNleGdIeFlsMGJBeHVNWTQvUkpQNGU5VDAwSWxYS0V5TkxGUnp6Zm02LzVRd2xLNE45Q1pHS2gwVVppWFRXUkZYdXp0aWw2Tm9JUytVbEEyT1NqZzF0NnVBbkk2ZEs0bFErdVIva2cvWThFVU1nVHhIeDRKdWtpVUNRcUFKLzJTTjFrbnQxRGtzNUxuN1c4eDZLczBsYlRQTHRxVTdDc082VG1jeERtbTZNZy9DLzNqVjVrVmhKd093WGpTOWlKdlNVNHZnckI3TWh4US9PNlZRcGtFeUEydFJxN1ZpSm5IQTVZcjNwWVNjeUVMZVRLWGY4RmhwNTJPZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 1ovn5tqubV7gsxJ6wrIn
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\tZHda_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBDdcADECE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1seTdVQk0wa0ovRDh2TGtMMklSdmo1MktiSzB2NVo5QzBpbkcyTFByaFkybGN4a3V1VFZCdUhPNDdhWkJhZy95VEhUNzBMRmZUeTJLV3pPYVpIUzRzUmpEcWlDTkJOTzJkeGIrUWxBS1IxcURkblhQamdGUXpBajQwd1BsWDZMbEF6NEU2eTZNUjBESFdkOXgyZWsyMTJZeWtMVHZRYTdOVlpyaHVBZXFGdGlMMzY5YTVhR2dURkNSR3JlTXZXV2s5Y2FjaXNLSGVLczhmb01VOFl5R1N5Q2tEbHRXbTBkREZGKzllNFZBZzZxaGJWNU11Z001Vk9NZHNkR0JqdE90SHRRTmNYRHpsMUwrNjZHeXdPQ2xDUUpUYkxiNkFNNWxpVm9HZlo4TTgreDA2N0dUT3UzWFpuTEhSUHJaNTJMN1BSd2kyOU5CU01GNEJWQVJ6MkNpODdQam1sZWQzOTdEK1R3akM1MXcrd2p0K3BpbkVXbGxRRWFoejV6blZnQUlXbzF0VkZUbStIMmdJTVFMM2ZEUUdIbDI3eUZOYzQ3S2dZSnNrVzdRa2tuclZlMnp3SW8wb2Zsb0hwMVlXMHZybmxKMnU2R2F1bmVxN3Vub3Uzd1ZyQitYUzF3Tm9aNHZ1Wnk4YUxoeGQ5endoQk9zTUxGZzl4Y29MZzlnK05zLzBCUFZTbkFYYnhmWmNTbFE2d0tYNFpzSmcvdjNDZUs1cFRTNjZpQm9adUNBMnBTL3BPMG5Gblc0bTBEVTNQUXV4dVJVa2ZCUWNKY1BWUHpwOWtGK0I2cFJnY2pUV3J2bEdEV292NzE3bW1OOUpsYkRUUzVYTzJlWHBmZm1nYnNsZFRFTWdQZ2o5SVhrR0xwb1R5am1ib1V1N0ZqRWtkakNmRGd5dHY3UHlvUTJRaVZCNytuUGQ1WWkydFdaQ29VaE4wUEpHd2h5dkpLRGxIN2FhZnYwdElwVElCbmlORXQ3VDg1bVZXV3pvRVQrQmllZ0djd0hKVUNrM0V5ZFMrTmgzU01BMGE3ZkNiajk1S09FM3Y2T1JnNU4wM2t4VTFwb01qK2I1alNqdi84ZWJ2L1pIcjlyS1RrYzJGMVFlbWxTMkdDdXllc2prS29TZ1c1T0tmKzR4ZHNqbTVwdU44MHYzNGNyaXkzdmVBMXVIVVIwR0lEcHF0akxTMkkwNW9zUjRsWXV3bnNJRExmWUdhNHRLZTI0Z2ZCWlpaVFhENHl1WjlHNDd6dno5ZVZEWUZpbW5sd09XTlBweVVZcFJBdDhYL2ljWWNVTHIwSW1aZGRhTDE4Z3hyTEtFOEluUFVxbEpBWC95cEI1eThCaDJ1cnM1b0FwRTE5VUFueWhnSXVuWjhKbFRWaVV6OEdINmVFcWZnQjBNaExtdFk3ckdvV3UwNWxiOFdWR0ZsVFcxYkRIU1RNc0o3bnI1TlhNekNEZEhMNlVXenFsbmE0RlVtRmlHZTdBTEV0eUE0M1MrcEdacVEveTF2NE91Q3MyczFLcUdtUlVNVGs3cXNzTFIyQ2pCNHVOdkVjRUlWZFQ0dXpjYkRzQkFCYUlSNU15d1RaL1cxRzNsQWNLc3cvKzdNWm1kYmF3RDVQaFBtdTV0S0xHd0RkVk12Ym4rTXVZcGFBUGdlWjk1UUZHdXVtTDZkWjVLWS9QQ1MzeGRtZEEweXVvR0hrd3UzbVJBU1lBQWhlVmdyRk12RGdPbktrR1QrcVhYY0RQZVFjOVNna0VRV1h3QWpWRUlLaHJvTFdqdlNuMEF0SjRsTm5KbEt4S1lJODUyZncyaGlLbXhsWmV6amxZZFRsRjJ0ekxhSUNmaTNleGdIeFlsMGJBeHVNWTQvUkpQNGU5VDAwSWxYS0V5TkxGUnp6Zm02LzVRd2xLNE45Q1pHS2gwVVppWFRXUkZYdXp0aWw2Tm9JUytVbEEyT1NqZzF0NnVBbkk2ZEs0bFErdVIva2cvWThFVU1nVHhIeDRKdWtpVUNRcUFKLzJTTjFrbnQxRGtzNUxuN1c4eDZLczBsYlRQTHRxVTdDc082VG1jeERtbTZNZy9DLzNqVjVrVmhKd093WGpTOWlKdlNVNHZnckI3TWh4US9PNlZRcGtFeUEydFJxN1ZpSm5IQTVZcjNwWVNjeUVMZVRLWGY4RmhwNTJPZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * NRW9Q6cER7pFEOR87ODub0H8
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\tZHda_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBDdcADECE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1seTdVQk0wa0ovRDh2TGtMMklSdmo1MktiSzB2NVo5QzBpbkcyTFByaFkybGN4a3V1VFZCdUhPNDdhWkJhZy95VEhUNzBMRmZUeTJLV3pPYVpIUzRzUmpEcWlDTkJOTzJkeGIrUWxBS1IxcURkblhQamdGUXpBajQwd1BsWDZMbEF6NEU2eTZNUjBESFdkOXgyZWsyMTJZeWtMVHZRYTdOVlpyaHVBZXFGdGlMMzY5YTVhR2dURkNSR3JlTXZXV2s5Y2FjaXNLSGVLczhmb01VOFl5R1N5Q2tEbHRXbTBkREZGKzllNFZBZzZxaGJWNU11Z001Vk9NZHNkR0JqdE90SHRRTmNYRHpsMUwrNjZHeXdPQ2xDUUpUYkxiNkFNNWxpVm9HZlo4TTgreDA2N0dUT3UzWFpuTEhSUHJaNTJMN1BSd2kyOU5CU01GNEJWQVJ6MkNpODdQam1sZWQzOTdEK1R3akM1MXcrd2p0K3BpbkVXbGxRRWFoejV6blZnQUlXbzF0VkZUbStIMmdJTVFMM2ZEUUdIbDI3eUZOYzQ3S2dZSnNrVzdRa2tuclZlMnp3SW8wb2Zsb0hwMVlXMHZybmxKMnU2R2F1bmVxN3Vub3Uzd1ZyQitYUzF3Tm9aNHZ1Wnk4YUxoeGQ5endoQk9zTUxGZzl4Y29MZzlnK05zLzBCUFZTbkFYYnhmWmNTbFE2d0tYNFpzSmcvdjNDZUs1cFRTNjZpQm9adUNBMnBTL3BPMG5Gblc0bTBEVTNQUXV4dVJVa2ZCUWNKY1BWUHpwOWtGK0I2cFJnY2pUV3J2bEdEV292NzE3bW1OOUpsYkRUUzVYTzJlWHBmZm1nYnNsZFRFTWdQZ2o5SVhrR0xwb1R5am1ib1V1N0ZqRWtkakNmRGd5dHY3UHlvUTJRaVZCNytuUGQ1WWkydFdaQ29VaE4wUEpHd2h5dkpLRGxIN2FhZnYwdElwVElCbmlORXQ3VDg1bVZXV3pvRVQrQmllZ0djd0hKVUNrM0V5ZFMrTmgzU01BMGE3ZkNiajk1S09FM3Y2T1JnNU4wM2t4VTFwb01qK2I1alNqdi84ZWJ2L1pIcjlyS1RrYzJGMVFlbWxTMkdDdXllc2prS29TZ1c1T0tmKzR4ZHNqbTVwdU44MHYzNGNyaXkzdmVBMXVIVVIwR0lEcHF0akxTMkkwNW9zUjRsWXV3bnNJRExmWUdhNHRLZTI0Z2ZCWlpaVFhENHl1WjlHNDd6dno5ZVZEWUZpbW5sd09XTlBweVVZcFJBdDhYL2ljWWNVTHIwSW1aZGRhTDE4Z3hyTEtFOEluUFVxbEpBWC95cEI1eThCaDJ1cnM1b0FwRTE5VUFueWhnSXVuWjhKbFRWaVV6OEdINmVFcWZnQjBNaExtdFk3ckdvV3UwNWxiOFdWR0ZsVFcxYkRIU1RNc0o3bnI1TlhNekNEZEhMNlVXenFsbmE0RlVtRmlHZTdBTEV0eUE0M1MrcEdacVEveTF2NE91Q3MyczFLcUdtUlVNVGs3cXNzTFIyQ2pCNHVOdkVjRUlWZFQ0dXpjYkRzQkFCYUlSNU15d1RaL1cxRzNsQWNLc3cvKzdNWm1kYmF3RDVQaFBtdTV0S0xHd0RkVk12Ym4rTXVZcGFBUGdlWjk1UUZHdXVtTDZkWjVLWS9QQ1MzeGRtZEEweXVvR0hrd3UzbVJBU1lBQWhlVmdyRk12RGdPbktrR1QrcVhYY0RQZVFjOVNna0VRV1h3QWpWRUlLaHJvTFdqdlNuMEF0SjRsTm5KbEt4S1lJODUyZncyaGlLbXhsWmV6amxZZFRsRjJ0ekxhSUNmaTNleGdIeFlsMGJBeHVNWTQvUkpQNGU5VDAwSWxYS0V5TkxGUnp6Zm02LzVRd2xLNE45Q1pHS2gwVVppWFRXUkZYdXp0aWw2Tm9JUytVbEEyT1NqZzF0NnVBbkk2ZEs0bFErdVIva2cvWThFVU1nVHhIeDRKdWtpVUNRcUFKLzJTTjFrbnQxRGtzNUxuN1c4eDZLczBsYlRQTHRxVTdDc082VG1jeERtbTZNZy9DLzNqVjVrVmhKd093WGpTOWlKdlNVNHZnckI3TWh4US9PNlZRcGtFeUEydFJxN1ZpSm5IQTVZcjNwWVNjeUVMZVRLWGY4RmhwNTJPZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * x
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\tZHda_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBDdcADECE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1seTdVQk0wa0ovRDh2TGtMMklSdmo1MktiSzB2NVo5QzBpbkcyTFByaFkybGN4a3V1VFZCdUhPNDdhWkJhZy95VEhUNzBMRmZUeTJLV3pPYVpIUzRzUmpEcWlDTkJOTzJkeGIrUWxBS1IxcURkblhQamdGUXpBajQwd1BsWDZMbEF6NEU2eTZNUjBESFdkOXgyZWsyMTJZeWtMVHZRYTdOVlpyaHVBZXFGdGlMMzY5YTVhR2dURkNSR3JlTXZXV2s5Y2FjaXNLSGVLczhmb01VOFl5R1N5Q2tEbHRXbTBkREZGKzllNFZBZzZxaGJWNU11Z001Vk9NZHNkR0JqdE90SHRRTmNYRHpsMUwrNjZHeXdPQ2xDUUpUYkxiNkFNNWxpVm9HZlo4TTgreDA2N0dUT3UzWFpuTEhSUHJaNTJMN1BSd2kyOU5CU01GNEJWQVJ6MkNpODdQam1sZWQzOTdEK1R3akM1MXcrd2p0K3BpbkVXbGxRRWFoejV6blZnQUlXbzF0VkZUbStIMmdJTVFMM2ZEUUdIbDI3eUZOYzQ3S2dZSnNrVzdRa2tuclZlMnp3SW8wb2Zsb0hwMVlXMHZybmxKMnU2R2F1bmVxN3Vub3Uzd1ZyQitYUzF3Tm9aNHZ1Wnk4YUxoeGQ5endoQk9zTUxGZzl4Y29MZzlnK05zLzBCUFZTbkFYYnhmWmNTbFE2d0tYNFpzSmcvdjNDZUs1cFRTNjZpQm9adUNBMnBTL3BPMG5Gblc0bTBEVTNQUXV4dVJVa2ZCUWNKY1BWUHpwOWtGK0I2cFJnY2pUV3J2bEdEV292NzE3bW1OOUpsYkRUUzVYTzJlWHBmZm1nYnNsZFRFTWdQZ2o5SVhrR0xwb1R5am1ib1V1N0ZqRWtkakNmRGd5dHY3UHlvUTJRaVZCNytuUGQ1WWkydFdaQ29VaE4wUEpHd2h5dkpLRGxIN2FhZnYwdElwVElCbmlORXQ3VDg1bVZXV3pvRVQrQmllZ0djd0hKVUNrM0V5ZFMrTmgzU01BMGE3ZkNiajk1S09FM3Y2T1JnNU4wM2t4VTFwb01qK2I1alNqdi84ZWJ2L1pIcjlyS1RrYzJGMVFlbWxTMkdDdXllc2prS29TZ1c1T0tmKzR4ZHNqbTVwdU44MHYzNGNyaXkzdmVBMXVIVVIwR0lEcHF0akxTMkkwNW9zUjRsWXV3bnNJRExmWUdhNHRLZTI0Z2ZCWlpaVFhENHl1WjlHNDd6dno5ZVZEWUZpbW5sd09XTlBweVVZcFJBdDhYL2ljWWNVTHIwSW1aZGRhTDE4Z3hyTEtFOEluUFVxbEpBWC95cEI1eThCaDJ1cnM1b0FwRTE5VUFueWhnSXVuWjhKbFRWaVV6OEdINmVFcWZnQjBNaExtdFk3ckdvV3UwNWxiOFdWR0ZsVFcxYkRIU1RNc0o3bnI1TlhNekNEZEhMNlVXenFsbmE0RlVtRmlHZTdBTEV0eUE0M1MrcEdacVEveTF2NE91Q3MyczFLcUdtUlVNVGs3cXNzTFIyQ2pCNHVOdkVjRUlWZFQ0dXpjYkRzQkFCYUlSNU15d1RaL1cxRzNsQWNLc3cvKzdNWm1kYmF3RDVQaFBtdTV0S0xHd0RkVk12Ym4rTXVZcGFBUGdlWjk1UUZHdXVtTDZkWjVLWS9QQ1MzeGRtZEEweXVvR0hrd3UzbVJBU1lBQWhlVmdyRk12RGdPbktrR1QrcVhYY0RQZVFjOVNna0VRV1h3QWpWRUlLaHJvTFdqdlNuMEF0SjRsTm5KbEt4S1lJODUyZncyaGlLbXhsWmV6amxZZFRsRjJ0ekxhSUNmaTNleGdIeFlsMGJBeHVNWTQvUkpQNGU5VDAwSWxYS0V5TkxGUnp6Zm02LzVRd2xLNE45Q1pHS2gwVVppWFRXUkZYdXp0aWw2Tm9JUytVbEEyT1NqZzF0NnVBbkk2ZEs0bFErdVIva2cvWThFVU1nVHhIeDRKdWtpVUNRcUFKLzJTTjFrbnQxRGtzNUxuN1c4eDZLczBsYlRQTHRxVTdDc082VG1jeERtbTZNZy9DLzNqVjVrVmhKd093WGpTOWlKdlNVNHZnckI3TWh4US9PNlZRcGtFeUEydFJxN1ZpSm5IQTVZcjNwWVNjeUVMZVRLWGY4RmhwNTJPZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * JvR5E
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\tZHda_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBDdcADECE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1seTdVQk0wa0ovRDh2TGtMMklSdmo1MktiSzB2NVo5QzBpbkcyTFByaFkybGN4a3V1VFZCdUhPNDdhWkJhZy95VEhUNzBMRmZUeTJLV3pPYVpIUzRzUmpEcWlDTkJOTzJkeGIrUWxBS1IxcURkblhQamdGUXpBajQwd1BsWDZMbEF6NEU2eTZNUjBESFdkOXgyZWsyMTJZeWtMVHZRYTdOVlpyaHVBZXFGdGlMMzY5YTVhR2dURkNSR3JlTXZXV2s5Y2FjaXNLSGVLczhmb01VOFl5R1N5Q2tEbHRXbTBkREZGKzllNFZBZzZxaGJWNU11Z001Vk9NZHNkR0JqdE90SHRRTmNYRHpsMUwrNjZHeXdPQ2xDUUpUYkxiNkFNNWxpVm9HZlo4TTgreDA2N0dUT3UzWFpuTEhSUHJaNTJMN1BSd2kyOU5CU01GNEJWQVJ6MkNpODdQam1sZWQzOTdEK1R3akM1MXcrd2p0K3BpbkVXbGxRRWFoejV6blZnQUlXbzF0VkZUbStIMmdJTVFMM2ZEUUdIbDI3eUZOYzQ3S2dZSnNrVzdRa2tuclZlMnp3SW8wb2Zsb0hwMVlXMHZybmxKMnU2R2F1bmVxN3Vub3Uzd1ZyQitYUzF3Tm9aNHZ1Wnk4YUxoeGQ5endoQk9zTUxGZzl4Y29MZzlnK05zLzBCUFZTbkFYYnhmWmNTbFE2d0tYNFpzSmcvdjNDZUs1cFRTNjZpQm9adUNBMnBTL3BPMG5Gblc0bTBEVTNQUXV4dVJVa2ZCUWNKY1BWUHpwOWtGK0I2cFJnY2pUV3J2bEdEV292NzE3bW1OOUpsYkRUUzVYTzJlWHBmZm1nYnNsZFRFTWdQZ2o5SVhrR0xwb1R5am1ib1V1N0ZqRWtkakNmRGd5dHY3UHlvUTJRaVZCNytuUGQ1WWkydFdaQ29VaE4wUEpHd2h5dkpLRGxIN2FhZnYwdElwVElCbmlORXQ3VDg1bVZXV3pvRVQrQmllZ0djd0hKVUNrM0V5ZFMrTmgzU01BMGE3ZkNiajk1S09FM3Y2T1JnNU4wM2t4VTFwb01qK2I1alNqdi84ZWJ2L1pIcjlyS1RrYzJGMVFlbWxTMkdDdXllc2prS29TZ1c1T0tmKzR4ZHNqbTVwdU44MHYzNGNyaXkzdmVBMXVIVVIwR0lEcHF0akxTMkkwNW9zUjRsWXV3bnNJRExmWUdhNHRLZTI0Z2ZCWlpaVFhENHl1WjlHNDd6dno5ZVZEWUZpbW5sd09XTlBweVVZcFJBdDhYL2ljWWNVTHIwSW1aZGRhTDE4Z3hyTEtFOEluUFVxbEpBWC95cEI1eThCaDJ1cnM1b0FwRTE5VUFueWhnSXVuWjhKbFRWaVV6OEdINmVFcWZnQjBNaExtdFk3ckdvV3UwNWxiOFdWR0ZsVFcxYkRIU1RNc0o3bnI1TlhNekNEZEhMNlVXenFsbmE0RlVtRmlHZTdBTEV0eUE0M1MrcEdacVEveTF2NE91Q3MyczFLcUdtUlVNVGs3cXNzTFIyQ2pCNHVOdkVjRUlWZFQ0dXpjYkRzQkFCYUlSNU15d1RaL1cxRzNsQWNLc3cvKzdNWm1kYmF3RDVQaFBtdTV0S0xHd0RkVk12Ym4rTXVZcGFBUGdlWjk1UUZHdXVtTDZkWjVLWS9QQ1MzeGRtZEEweXVvR0hrd3UzbVJBU1lBQWhlVmdyRk12RGdPbktrR1QrcVhYY0RQZVFjOVNna0VRV1h3QWpWRUlLaHJvTFdqdlNuMEF0SjRsTm5KbEt4S1lJODUyZncyaGlLbXhsWmV6amxZZFRsRjJ0ekxhSUNmaTNleGdIeFlsMGJBeHVNWTQvUkpQNGU5VDAwSWxYS0V5TkxGUnp6Zm02LzVRd2xLNE45Q1pHS2gwVVppWFRXUkZYdXp0aWw2Tm9JUytVbEEyT1NqZzF0NnVBbkk2ZEs0bFErdVIva2cvWThFVU1nVHhIeDRKdWtpVUNRcUFKLzJTTjFrbnQxRGtzNUxuN1c4eDZLczBsYlRQTHRxVTdDc082VG1jeERtbTZNZy9DLzNqVjVrVmhKd093WGpTOWlKdlNVNHZnckI3TWh4US9PNlZRcGtFeUEydFJxN1ZpSm5IQTVZcjNwWVNjeUVMZVRLWGY4RmhwNTJPZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 93YwZa4G
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Music\tZHda_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBDdcADECE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1seTdVQk0wa0ovRDh2TGtMMklSdmo1MktiSzB2NVo5QzBpbkcyTFByaFkybGN4a3V1VFZCdUhPNDdhWkJhZy95VEhUNzBMRmZUeTJLV3pPYVpIUzRzUmpEcWlDTkJOTzJkeGIrUWxBS1IxcURkblhQamdGUXpBajQwd1BsWDZMbEF6NEU2eTZNUjBESFdkOXgyZWsyMTJZeWtMVHZRYTdOVlpyaHVBZXFGdGlMMzY5YTVhR2dURkNSR3JlTXZXV2s5Y2FjaXNLSGVLczhmb01VOFl5R1N5Q2tEbHRXbTBkREZGKzllNFZBZzZxaGJWNU11Z001Vk9NZHNkR0JqdE90SHRRTmNYRHpsMUwrNjZHeXdPQ2xDUUpUYkxiNkFNNWxpVm9HZlo4TTgreDA2N0dUT3UzWFpuTEhSUHJaNTJMN1BSd2kyOU5CU01GNEJWQVJ6MkNpODdQam1sZWQzOTdEK1R3akM1MXcrd2p0K3BpbkVXbGxRRWFoejV6blZnQUlXbzF0VkZUbStIMmdJTVFMM2ZEUUdIbDI3eUZOYzQ3S2dZSnNrVzdRa2tuclZlMnp3SW8wb2Zsb0hwMVlXMHZybmxKMnU2R2F1bmVxN3Vub3Uzd1ZyQitYUzF3Tm9aNHZ1Wnk4YUxoeGQ5endoQk9zTUxGZzl4Y29MZzlnK05zLzBCUFZTbkFYYnhmWmNTbFE2d0tYNFpzSmcvdjNDZUs1cFRTNjZpQm9adUNBMnBTL3BPMG5Gblc0bTBEVTNQUXV4dVJVa2ZCUWNKY1BWUHpwOWtGK0I2cFJnY2pUV3J2bEdEV292NzE3bW1OOUpsYkRUUzVYTzJlWHBmZm1nYnNsZFRFTWdQZ2o5SVhrR0xwb1R5am1ib1V1N0ZqRWtkakNmRGd5dHY3UHlvUTJRaVZCNytuUGQ1WWkydFdaQ29VaE4wUEpHd2h5dkpLRGxIN2FhZnYwdElwVElCbmlORXQ3VDg1bVZXV3pvRVQrQmllZ0djd0hKVUNrM0V5ZFMrTmgzU01BMGE3ZkNiajk1S09FM3Y2T1JnNU4wM2t4VTFwb01qK2I1alNqdi84ZWJ2L1pIcjlyS1RrYzJGMVFlbWxTMkdDdXllc2prS29TZ1c1T0tmKzR4ZHNqbTVwdU44MHYzNGNyaXkzdmVBMXVIVVIwR0lEcHF0akxTMkkwNW9zUjRsWXV3bnNJRExmWUdhNHRLZTI0Z2ZCWlpaVFhENHl1WjlHNDd6dno5ZVZEWUZpbW5sd09XTlBweVVZcFJBdDhYL2ljWWNVTHIwSW1aZGRhTDE4Z3hyTEtFOEluUFVxbEpBWC95cEI1eThCaDJ1cnM1b0FwRTE5VUFueWhnSXVuWjhKbFRWaVV6OEdINmVFcWZnQjBNaExtdFk3ckdvV3UwNWxiOFdWR0ZsVFcxYkRIU1RNc0o3bnI1TlhNekNEZEhMNlVXenFsbmE0RlVtRmlHZTdBTEV0eUE0M1MrcEdacVEveTF2NE91Q3MyczFLcUdtUlVNVGs3cXNzTFIyQ2pCNHVOdkVjRUlWZFQ0dXpjYkRzQkFCYUlSNU15d1RaL1cxRzNsQWNLc3cvKzdNWm1kYmF3RDVQaFBtdTV0S0xHd0RkVk12Ym4rTXVZcGFBUGdlWjk1UUZHdXVtTDZkWjVLWS9QQ1MzeGRtZEEweXVvR0hrd3UzbVJBU1lBQWhlVmdyRk12RGdPbktrR1QrcVhYY0RQZVFjOVNna0VRV1h3QWpWRUlLaHJvTFdqdlNuMEF0SjRsTm5KbEt4S1lJODUyZncyaGlLbXhsWmV6amxZZFRsRjJ0ekxhSUNmaTNleGdIeFlsMGJBeHVNWTQvUkpQNGU5VDAwSWxYS0V5TkxGUnp6Zm02LzVRd2xLNE45Q1pHS2gwVVppWFRXUkZYdXp0aWw2Tm9JUytVbEEyT1NqZzF0NnVBbkk2ZEs0bFErdVIva2cvWThFVU1nVHhIeDRKdWtpVUNRcUFKLzJTTjFrbnQxRGtzNUxuN1c4eDZLczBsYlRQTHRxVTdDc082VG1jeERtbTZNZy9DLzNqVjVrVmhKd093WGpTOWlKdlNVNHZnckI3TWh4US9PNlZRcGtFeUEydFJxN1ZpSm5IQTVZcjNwWVNjeUVMZVRLWGY4RmhwNTJPZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * RA5FFazoqGvwP9KTp9u4wgdr
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\tZHda_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .CBDdcADECE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MjcwMS1seTdVQk0wa0ovRDh2TGtMMklSdmo1MktiSzB2NVo5QzBpbkcyTFByaFkybGN4a3V1VFZCdUhPNDdhWkJhZy95VEhUNzBMRmZUeTJLV3pPYVpIUzRzUmpEcWlDTkJOTzJkeGIrUWxBS1IxcURkblhQamdGUXpBajQwd1BsWDZMbEF6NEU2eTZNUjBESFdkOXgyZWsyMTJZeWtMVHZRYTdOVlpyaHVBZXFGdGlMMzY5YTVhR2dURkNSR3JlTXZXV2s5Y2FjaXNLSGVLczhmb01VOFl5R1N5Q2tEbHRXbTBkREZGKzllNFZBZzZxaGJWNU11Z001Vk9NZHNkR0JqdE90SHRRTmNYRHpsMUwrNjZHeXdPQ2xDUUpUYkxiNkFNNWxpVm9HZlo4TTgreDA2N0dUT3UzWFpuTEhSUHJaNTJMN1BSd2kyOU5CU01GNEJWQVJ6MkNpODdQam1sZWQzOTdEK1R3akM1MXcrd2p0K3BpbkVXbGxRRWFoejV6blZnQUlXbzF0VkZUbStIMmdJTVFMM2ZEUUdIbDI3eUZOYzQ3S2dZSnNrVzdRa2tuclZlMnp3SW8wb2Zsb0hwMVlXMHZybmxKMnU2R2F1bmVxN3Vub3Uzd1ZyQitYUzF3Tm9aNHZ1Wnk4YUxoeGQ5endoQk9zTUxGZzl4Y29MZzlnK05zLzBCUFZTbkFYYnhmWmNTbFE2d0tYNFpzSmcvdjNDZUs1cFRTNjZpQm9adUNBMnBTL3BPMG5Gblc0bTBEVTNQUXV4dVJVa2ZCUWNKY1BWUHpwOWtGK0I2cFJnY2pUV3J2bEdEV292NzE3bW1OOUpsYkRUUzVYTzJlWHBmZm1nYnNsZFRFTWdQZ2o5SVhrR0xwb1R5am1ib1V1N0ZqRWtkakNmRGd5dHY3UHlvUTJRaVZCNytuUGQ1WWkydFdaQ29VaE4wUEpHd2h5dkpLRGxIN2FhZnYwdElwVElCbmlORXQ3VDg1bVZXV3pvRVQrQmllZ0djd0hKVUNrM0V5ZFMrTmgzU01BMGE3ZkNiajk1S09FM3Y2T1JnNU4wM2t4VTFwb01qK2I1alNqdi84ZWJ2L1pIcjlyS1RrYzJGMVFlbWxTMkdDdXllc2prS29TZ1c1T0tmKzR4ZHNqbTVwdU44MHYzNGNyaXkzdmVBMXVIVVIwR0lEcHF0akxTMkkwNW9zUjRsWXV3bnNJRExmWUdhNHRLZTI0Z2ZCWlpaVFhENHl1WjlHNDd6dno5ZVZEWUZpbW5sd09XTlBweVVZcFJBdDhYL2ljWWNVTHIwSW1aZGRhTDE4Z3hyTEtFOEluUFVxbEpBWC95cEI1eThCaDJ1cnM1b0FwRTE5VUFueWhnSXVuWjhKbFRWaVV6OEdINmVFcWZnQjBNaExtdFk3ckdvV3UwNWxiOFdWR0ZsVFcxYkRIU1RNc0o3bnI1TlhNekNEZEhMNlVXenFsbmE0RlVtRmlHZTdBTEV0eUE0M1MrcEdacVEveTF2NE91Q3MyczFLcUdtUlVNVGs3cXNzTFIyQ2pCNHVOdkVjRUlWZFQ0dXpjYkRzQkFCYUlSNU15d1RaL1cxRzNsQWNLc3cvKzdNWm1kYmF3RDVQaFBtdTV0S0xHd0RkVk12Ym4rTXVZcGFBUGdlWjk1UUZHdXVtTDZkWjVLWS9QQ1MzeGRtZEEweXVvR0hrd3UzbVJBU1lBQWhlVmdyRk12RGdPbktrR1QrcVhYY0RQZVFjOVNna0VRV1h3QWpWRUlLaHJvTFdqdlNuMEF0SjRsTm5KbEt4S1lJODUyZncyaGlLbXhsWmV6amxZZFRsRjJ0ekxhSUNmaTNleGdIeFlsMGJBeHVNWTQvUkpQNGU5VDAwSWxYS0V5TkxGUnp6Zm02LzVRd2xLNE45Q1pHS2gwVVppWFRXUkZYdXp0aWw2Tm9JUytVbEEyT1NqZzF0NnVBbkk2ZEs0bFErdVIva2cvWThFVU1nVHhIeDRKdWtpVUNRcUFKLzJTTjFrbnQxRGtzNUxuN1c4eDZLczBsYlRQTHRxVTdDc082VG1jeERtbTZNZy9DLzNqVjVrVmhKd093WGpTOWlKdlNVNHZnckI3TWh4US9PNlZRcGtFeUEydFJxN1ZpSm5IQTVZcjNwWVNjeUVMZVRLWGY4RmhwNTJPZz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * aPDOjHEAOwCL
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (172) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
    "C:\Users\Admin\AppData\Local\Temp\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:708
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4432
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:2624
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:3296
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:2424
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:2532
      • C:\Windows\system32\wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:4756
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:4816
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
          1⤵
          • Executes dropped EXE
          PID:4152

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        2
        T1112

        Indicator Removal

        1
        T1070

        File Deletion

        1
        T1070.004

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        Impact

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275.exe
          Filesize

          775KB

          MD5

          117da2dd6fa24616f63eb43d5a15e5d3

          SHA1

          b4d70eecdef52ceef15f04a025d1ab08f193fb97

          SHA256

          48d7cd572f14aed7a90d6b66097a885a889e6e7416a6aaa2eb442706ff661275

          SHA512

          de2e5538e8dd8210b630eca0fc611f0ba0dcb805b3a745c38a6f46ee9acfe8785c917b9452e0d6f70f675030430b65b352d695106bae639b20e0dbb2dd95e375

        • C:\Users\Admin\Documents\tZHda_readme_.txt
          Filesize

          3KB

          MD5

          1e2273b0b8f6e573073eb6d75ce37e9d

          SHA1

          489a03cbcade5b7f630a925bbde127915257c548

          SHA256

          4b7db329f68d2f706a47b7825d2761466bead2cde4adeb1b55d0cc88ecb2c240

          SHA512

          44b569eb81f9ef522cb978e3de4eb36fa712985130214d8b5d27cfbe5c09b32700a4cfd5ae2ff408d37f80143fe4f17f8eec1ec71ae2caaa3eec1601eae4f501

        • C:\Users\Admin\Documents\tZHda_readme_.txt
          Filesize

          3KB

          MD5

          6541e2d8d9a02ac283d3f9c2f0a7ba8c

          SHA1

          442eae09fe85c0eb2de379f2dcffcf741becd0a5

          SHA256

          7bc3d5fd9082dcc1040cf9ee24ee2082e2172f0d78518af34e4e97195551c232

          SHA512

          b32f44bbc4839aaf74dfd31ab91989b3aa6bef598d4bc36a06515be26d13d2fc5750fe235e1ddb71b6c7bedbe7e2849b1561b872481ff800112c7eeebf6cc039

        • C:\Users\Admin\Downloads\tZHda_readme_.txt
          Filesize

          3KB

          MD5

          279ca6a9aead0d20776c492440086d7c

          SHA1

          5e52a038fc41baa8c4bd1d159d3d8fbcd32205a0

          SHA256

          5c5341326ecb5a81995b0447a89d361b963dd6307ac551c4ededffa72f6b8f93

          SHA512

          6efaeb596f64246482b15bf3249afcb2edd91d43b75a33fdfd4cc10b864bdda7054a57b193776d231930857c82a23eee47bf6073da2b6ad6762a66c855845a3d

        • C:\Users\Admin\Downloads\tZHda_readme_.txt
          Filesize

          3KB

          MD5

          03f1d33695afa8046a22b481b8669f6b

          SHA1

          1c6b5b0915584b22ca77b1dc287594de44c79860

          SHA256

          50b84f54d473d5fc7be84bd2965433bc0610ef23de7d61de7330acc200a053fe

          SHA512

          f1d16f31e5b4d43d092e4917b3ff68e1e15c64f148c093abc55ad74a23967bc40b726961a4e0ffc7b83d6d7ba0f177bcbf36bd1e8e7b6bf067a06ef2f305857b

        • C:\Users\Admin\Music\tZHda_readme_.txt
          Filesize

          3KB

          MD5

          b84db797ddba733ed67db3dcd64bdece

          SHA1

          416af6186f1affc888e32d6fa92b329e9bc78e3e

          SHA256

          87343073520c6bc506223641906f4b2308362e4bfd5f797140caf85972af635b

          SHA512

          e349615bcb664c90934edc6a7b2a71871682d86fce6766df0291ef0639901dc41b8f7fa00e47a604822b5be800dd3158032e6b5e000bf82af01bbb00d9219ab5

        • C:\Users\Admin\Music\tZHda_readme_.txt
          Filesize

          3KB

          MD5

          92fef6b97acaa23e8c7c20e9ec7e6c92

          SHA1

          281bdf7698c0260d846641dc2904ec66d32163c0

          SHA256

          4a869527415b1f70b057166087c69411fcb6f86b6bf3d567164888a89b3ee0c4

          SHA512

          e0ff5385185e6418e0b0ee3e4e0557f95c9f5bce935f0b69d07f12ba48a72bbb191b4deb74847d03d34575a5b8c13988efb9a10e628663ce23f3f2c45a345ecf

        • C:\Users\Admin\Pictures\tZHda_readme_.txt
          Filesize

          3KB

          MD5

          4cf936e1303d89e719532efb5d3d4c6c

          SHA1

          65606cfbb9c4e6b85b4c218a1008733b67654847

          SHA256

          986e73ea02ff72de8aa98c5848e1006030577ee36a6698d8ce278bb1536f3f7b

          SHA512

          155f53ef175a59cb4cd2394f79414a748f32e94cd8aeaad5907a245d6437f15aa32329ebc9b4a398ac1f68949bc89705b1646b51fcc8fb323f886fe40c67b6a7