Malware Analysis Report

2024-09-22 16:11

Sample ID 240402-qeq2labb26
Target 1d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118.zip
SHA256 96779e567a562e3fd3006968adf4f69436271d32d662cffab3eaaa29a6a17975
Tags
avaddon evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96779e567a562e3fd3006968adf4f69436271d32d662cffab3eaaa29a6a17975

Threat Level: Known bad

The file 1d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118.zip was found to be: Known bad.

Malicious Activity Summary

avaddon evasion ransomware trojan

Avaddon family

Process spawned unexpected child process

Avaddon payload

UAC bypass

Avaddon

Renames multiple (170) files with added filename extension

Deletes shadow copies

Renames multiple (203) files with added filename extension

Executes dropped EXE

Checks whether UAC is enabled

Drops desktop.ini file(s)

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-02 13:10

Signatures

Avaddon family

avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 13:10

Reported

2024-04-02 13:13

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Deletes shadow copies

ransomware

Renames multiple (170) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ab.exe

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
N/A 10.127.1.1:445 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
N/A 10.127.1.1:139 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 1.1.127.10.in-addr.arpa udp
N/A 10.127.1.2:445 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
N/A 10.127.1.2:139 tcp
US 8.8.8.8:53 2.1.127.10.in-addr.arpa udp
N/A 10.127.1.3:445 tcp
N/A 10.127.1.3:139 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 3.1.127.10.in-addr.arpa udp
N/A 10.127.1.4:445 tcp
N/A 10.127.1.4:139 tcp
US 8.8.8.8:53 4.1.127.10.in-addr.arpa udp
N/A 10.127.1.5:445 tcp
N/A 10.127.1.5:139 tcp
US 8.8.8.8:53 5.1.127.10.in-addr.arpa udp
N/A 10.127.1.6:445 tcp
N/A 10.127.1.6:139 tcp

Files

C:\odt\6Rfgx_readme_.txt

MD5 b3ced0d210b6a3451cc7b78f905b0371
SHA1 fed84477efeb4602cd5a527f0122ccf600344f26
SHA256 2f58cd6fb4b2099ef1d8440f6ba972473abb7ad5bea3545def3adab47118ec95
SHA512 224dbf27660b914e8ae14e995e08b495a80f1f42613e6b1009d83999da329704271b8b168136094a7f0b55f98e154b67ea6a2d5e333388d2c9ed4e21abf4ba29

C:\Users\Admin\Downloads\6Rfgx_readme_.txt

MD5 4eed1498cdde1a8d6000ccc213f8ccf4
SHA1 551310283e0ff4ed9fa296ca738882e8d71fb0fa
SHA256 ed83da503dc1a848bf8023b4951c414935baa0700f25be068f56889249693a54
SHA512 a881f90816b8c0243fa594506ecdf880c8eb672a593bbf549aeb1ddab94273bbaafac0bf3570b88d0761e65482e7c83327e0f2a506f843779320913aee47e41e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

MD5 0b486fe0503524cfe4726a4022fa6a68
SHA1 297dea71d489768ce45d23b0f8a45424b469ab00
SHA256 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512 f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 13:10

Reported

2024-04-02 13:14

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Deletes shadow copies

ransomware

Renames multiple (203) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 328 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 328 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 328 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2796 wrote to memory of 2452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
PID 2796 wrote to memory of 2452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
PID 2796 wrote to memory of 2452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe
PID 2796 wrote to memory of 2452 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ab.exe

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\taskeng.exe

taskeng.exe {DEA82F87-6E8B-479D-8C87-73F8BF510827} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

Network

N/A

Files

C:\Users\Admin\Desktop\CLkPQG0K_readme_.txt

MD5 cb55543d89b2374ba5f4c10eb5672289
SHA1 197cbc4f988df74e23b2d40e6fdbb2d2b251cc62
SHA256 7f7014c36f72617f456625f15f4734be246df010c402808b19585c8ed4cc87a7
SHA512 df8cbf7cb4ac96a7dc303cc98c3eeab5642d48b371f8c5c4197c6919f52f77514e852769e7c3297eb389ae2e80cd8d3715b68191f621844345637699441cc1ae

C:\Users\Admin\Documents\CLkPQG0K_readme_.txt

MD5 f24dbdaddfd38f795b8ae70a13404c1a
SHA1 6821101221badeb3df381b7c68e97e650cec6806
SHA256 12df535c3612f2df1fc91b2f6cf9a8182965fbb2f53554525af4dbc2c288f019
SHA512 f76d6452d783def10d4a46f68a09486355a02efb76ad1b960ac0b093bf2b5a6a1eb772a721f9ed5dac5e5843820d63e58c96a1dc3f243b2d52816cbc82044698

C:\CLkPQG0K_readme_.txt

MD5 7c4334fb74a944ce00650dd0fa47a869
SHA1 7db59d8bc0866f898176cd3148b6c69b25290f51
SHA256 4a8fe72690d869275f595d892e8272cf7770d698ca800493418d4053cb6e2d10
SHA512 51e319f843315d6dfa094cbcf03c88f6c1dc475f54c7c86f2da65842fc4567c6f264bdeaecd7e40b22908de8ecd210370503e326137cafb34926cf0f76106ab0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

MD5 0b486fe0503524cfe4726a4022fa6a68
SHA1 297dea71d489768ce45d23b0f8a45424b469ab00
SHA256 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512 f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619