Malware Analysis Report

2024-09-22 16:12

Sample ID 240402-mn5pkafg64
Target 14db90c83f43d96505e48dc86efa5c57be8474fc993f00fb7d14d5ba4e21c341.zip
SHA256 07ef84183479fb52c38e6f2b0732e2379fe5e1c239cd729d92a5020811dee381
Tags
avaddon evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07ef84183479fb52c38e6f2b0732e2379fe5e1c239cd729d92a5020811dee381

Threat Level: Known bad

The file 14db90c83f43d96505e48dc86efa5c57be8474fc993f00fb7d14d5ba4e21c341.zip was found to be: Known bad.

Malicious Activity Summary

avaddon evasion ransomware trojan

UAC bypass

Process spawned unexpected child process

Avaddon family

Avaddon payload

Avaddon

Renames multiple (209) files with added filename extension

Renames multiple (169) files with added filename extension

Deletes shadow copies

Executes dropped EXE

Checks whether UAC is enabled

Drops desktop.ini file(s)

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Interacts with shadow copies

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:37

Signatures

Avaddon family

avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:37

Reported

2024-04-02 10:41

Platform

win7-20240220-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Deletes shadow copies

ransomware

Renames multiple (209) files with added filename extension

ransomware

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3040 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3040 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1184 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
PID 1184 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
PID 1184 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe
PID 1184 wrote to memory of 3048 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

"C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe"

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\taskeng.exe

taskeng.exe {597FF6C5-490C-470E-8F46-93D8ECFFBD6F} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

Network

N/A

Files

C:\Users\Admin\Desktop\Kgkge_readme_.txt

MD5 fb44c0bb27a89bad973a5408d7ba724a
SHA1 7ebdfbe15634de56b1accc4fe494cdc0f1110487
SHA256 2bf265f391a09f0b09044ab7bbcd63d21b73c9e85d1e03a385f6f5766634ffb4
SHA512 41c166f1e1868d20e004da0148e958b45009fc23aa37c279f6423230586afe2757d22571f7a59cac5c0feee3fb7ff3784f25c5ad99aa547d6b3aee50af4f35e1

C:\Users\Admin\Music\Kgkge_readme_.txt

MD5 e926d2e6043dcdddba65a2258fc09bce
SHA1 ca2d4f0a6bb394082f71fa43d6dd8a94fbaf5e48
SHA256 feddd982df2a9d8cf9de44bf7b0fd5e18f838ef31b61df259ccd536645eb4766
SHA512 fd5913a9b781d2948e6880b916394bbd3dc6a46461743c589524680b99b1b7fa194e0d67a0b1b66518a7ffe71de0a35bc993311a85aa836cb6085c5e9d1ab79a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

MD5 7fc5a1aafb84705745dba65e2a178217
SHA1 0825e3b2115c9053563a307402e32d28056223a7
SHA256 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
SHA512 b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:37

Reported

2024-04-02 10:42

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Deletes shadow copies

ransomware

Renames multiple (169) files with added filename extension

ransomware

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 408 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 408 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 408 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 408 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 408 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 408 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 408 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 408 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 408 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

"C:\Users\Admin\AppData\Local\Temp\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe"

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp

Files

C:\Users\Admin\Documents\Bhril_readme_.txt

MD5 f49b4f98136dff21539e12d317cde9a3
SHA1 fdae0f4ffb7b40c1a0b07b2a022b7b0d830ea140
SHA256 56af4f56c53ec44fb6a021284ffe5e8b5c471e1ce276c5087c0292a9fa07079a
SHA512 a61694be103e64f403bd2d48700ef80d7087a3b172d8340bed7f53af7b45a6d3838fce7bb727ad7b3c41baf7d618a9e7fdb2bd5d05257fd542dd166901613ad3

C:\Users\Admin\Desktop\Bhril_readme_.txt

MD5 7aa589dab70b2479b3442801f76f8f54
SHA1 e20523c2e9be1480498327e1218f828121bf2c89
SHA256 ecc70de8a089294359a9dcc66142ecc4a51b64162fe08996f15866bcd92c3d4d
SHA512 0df28afbc52b5629a18ac5536311587379ae4d67b662b6722f1e9a9e2edab519e5581bcbfa2b1fcf08811043ff6fbdf0ebbe84f9c676ae63550c7f1642255e0a

C:\Users\Admin\Documents\Bhril_readme_.txt

MD5 fc6e0f3637065aff8c39940d296f03ba
SHA1 2b3c55e5b0e3950cfe3b0895e6710258028f0bbd
SHA256 c96e875b2ab0be0313cb4cb8391752f37b5037089ebfd6c7eefb3e26c8b109fd
SHA512 5a708b1e464ca24040e8c3576ffae1387d8fd10a6f293fb208956fecd1ab4817be85b800c071c86ae0d27de2450b4c67423d1a0acbaf91b089219b81d0a460ba

C:\Users\Admin\Downloads\Bhril_readme_.txt

MD5 b2f4c9305c81255a7bec6453e7f1560f
SHA1 7a6a79c862bc316886a61acae986be7c40af5fb1
SHA256 59c16566d895d34a78bf80488fcc8e8b9eb5bffe024a0cf344a4412b7f49d074
SHA512 d62fdd9ea5b7fd06f13133cf4f23a07e8c06fee9331fe2df532c7c975791cd188a29c08169adc57e0aefddd0bacd6eb0bdc49d270f9ffcaf8d3de5934b3fc7cb

C:\Users\Admin\Music\Bhril_readme_.txt

MD5 90ce8df8d60add5db17281c9487afe8f
SHA1 4592fce6720fef30e52584c2b01acaeb23c4c3f5
SHA256 cda9343739a404aeee533a96b6ce5a05fba03f66f40c3679efd6e1b2960c3023
SHA512 56f3c047549373d14be0765a0c852df156da910b67a5a5adf9961bfe89a29972f6199dd0ff6f7d32b860746bf9af1743dfb5cc9b5381ddda152780b4338fd17e

C:\Users\Admin\Pictures\Bhril_readme_.txt

MD5 881ec6cdb296ed8e32d95a417ad71556
SHA1 9aa7d95eb4dabc0af8b782009ff228c0d4673b2e
SHA256 b151a2f5f1783b9c611fd13041b9a2e539be52f79d067dfcb84b10e2f5882034
SHA512 6dea7712096b38b2047b9b5c67c09f9ff4d6846d4c592626ee0fa8b6a1299d0829064b32cd32fbdd5b2aabc996fe2d6641219c436e672dd0314b6af799408afb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a.exe

MD5 7fc5a1aafb84705745dba65e2a178217
SHA1 0825e3b2115c9053563a307402e32d28056223a7
SHA256 2462a1cc358704bf1f12d266a0cc596bce16ba58f8611aa0fdeb094f61f1631a
SHA512 b0a1ec5e8c28b4343457edf317e20fdd0489e983c01ab9205c10a409ab8a9aae1cf5645e625b2edebf7c7eb551b801a196b7e37616143dce4cb9d00b179be9d2