Malware Analysis Report

2024-09-22 16:09

Sample ID 240402-mn51bsfg65
Target 1d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118.zip
SHA256 7878cf70c5dd089c1ba2cebb2d76b16b4e2a21e3fe8241f06d1e360f037c3cff
Tags
avaddon evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7878cf70c5dd089c1ba2cebb2d76b16b4e2a21e3fe8241f06d1e360f037c3cff

Threat Level: Known bad

The file 1d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118.zip was found to be: Known bad.

Malicious Activity Summary

avaddon evasion ransomware trojan

Avaddon payload

Process spawned unexpected child process

UAC bypass

Avaddon

Avaddon family

Renames multiple (128) files with added filename extension

Deletes shadow copies

Renames multiple (183) files with added filename extension

Executes dropped EXE

Enumerates connected drives

Drops desktop.ini file(s)

Checks whether UAC is enabled

Unsigned PE

Enumerates physical storage devices

System policy modification

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:37

Signatures

Avaddon family

avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:37

Reported

2024-04-02 10:41

Platform

win7-20240221-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Deletes shadow copies

ransomware

Renames multiple (183) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2740 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2740 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2052 wrote to memory of 1232 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
PID 2052 wrote to memory of 1232 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
PID 2052 wrote to memory of 1232 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
PID 2052 wrote to memory of 1232 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ab.exe

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\taskeng.exe

taskeng.exe {E749BE6E-21BC-47F7-B135-D50D9BBD07FC} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

Network

N/A

Files

C:\Users\Admin\Desktop\jBfcT_readme_.txt

MD5 7e12e0be842647442088e9e2ef860b72
SHA1 d111ff0ac7ca5d446ce5283a919bc569de906746
SHA256 cd206f963edae2f936fe854c65832ad5f432a6a67cb37a79ac91e2ffe58cc0a3
SHA512 df88cc88eac883423e746ffc9516673d8c7f962ccf3d0a732353846581fc9fe3654aad51910ec16cfca2fe4c0fa6ec8369affcf0129e7369e3a7a423c0542d1b

C:\Users\Admin\Documents\jBfcT_readme_.txt

MD5 a3a0053caab46f82e6d3cfa7096ddadb
SHA1 c33cd0a0bb5df96c69b21cea1559b9430f542e60
SHA256 fff9f2ce1df7ef7d47daa6ab12167271798cc02db00ce094a23a1dedc81f8e03
SHA512 6e3beaa534146c5726741be040b1cfda9b3847806efbd75083ed8a81ae187f1b0e25299fbff149b6d0c267de7ded85f1ddd1e0c95426ae371c7b79f9689ea879

C:\Users\Admin\Music\jBfcT_readme_.txt

MD5 4b97d220514ce849e0be544f76f6ac48
SHA1 8b81e1907fd44dbee6b8ea1c683bb7dd9128d72a
SHA256 769d3a1cb3d79029993e6df995bd05d781dd721a886aa370bbe77ff61cd8b023
SHA512 df9e881236d6dfe9bada00ad65d390bda1e34b43596ccfc8c5c69030f28ff4eec8e3c9d3d06a014a98782ed9d154b20572a15cd8defb05997219d674788f97c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

MD5 0b486fe0503524cfe4726a4022fa6a68
SHA1 297dea71d489768ce45d23b0f8a45424b469ab00
SHA256 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512 f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:37

Reported

2024-04-02 10:41

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Deletes shadow copies

ransomware

Renames multiple (128) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ab.exe

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\4sU1n_readme_.txt

MD5 d70fca0e168c54291649c8c56d458997
SHA1 f1e6ed918148508c7b25e171009e7e1cc8f98ab7
SHA256 d9b62c4a3968eceb660e938c385934ab2b9128cddaec219e6302cb0b01431073
SHA512 7e8054ae7ea71e0e2afef9daa7195171e43dacd7e9b39c54e8a837accb251e7aa3844b201b2f6b0bb6a442b9053bdb4d2788e1f43529a11d7a849d88caf628ef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

MD5 0b486fe0503524cfe4726a4022fa6a68
SHA1 297dea71d489768ce45d23b0f8a45424b469ab00
SHA256 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512 f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619