Malware Analysis Report

2024-09-22 16:18

Sample ID 240402-qv5vpabh45
Target 1d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118.zip
SHA256 ce4e4ce9457bbe928d896fb19fa2bc3288f7504277efc9603639afe615eff1bd
Tags
avaddon evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce4e4ce9457bbe928d896fb19fa2bc3288f7504277efc9603639afe615eff1bd

Threat Level: Known bad

The file 1d7051ad6ad4f278e54651e289fb01c034261bdb3e366ccea8c55fa834979118.zip was found to be: Known bad.

Malicious Activity Summary

avaddon evasion ransomware trojan

Avaddon payload

Avaddon

UAC bypass

Process spawned unexpected child process

Avaddon family

Renames multiple (177) files with added filename extension

Deletes shadow copies

Renames multiple (191) files with added filename extension

Executes dropped EXE

Enumerates connected drives

Drops desktop.ini file(s)

Checks whether UAC is enabled

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-02 13:35

Signatures

Avaddon family

avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 13:35

Reported

2024-04-02 13:38

Platform

win7-20240221-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Deletes shadow copies

ransomware

Renames multiple (191) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2848 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ab.exe C:\Windows\SysWOW64\vssadmin.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ab.exe

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\taskeng.exe

taskeng.exe {71395A73-112F-4D91-86B7-A102AA68B1E0} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

Network

N/A

Files

C:\Users\Admin\Desktop\ffGC5_readme_.txt

MD5 d62eb042e9dd3e433f2c6a696cd4a4d6
SHA1 ad74400487fb9a51d217d3e701fc8d7f1ddb4b6d
SHA256 34676cd39f71753e052b7f676d913e9291ea27a46c4b28d591f971491128d747
SHA512 02db261b88e90c0e444be29a1de84e8d68fa752df934e143f4bfff5de8586c0a792bf8d54c5a791979bc279f83fef73f0af410aae26202bd8650e9ad0b3a0fc7

C:\Users\Admin\Music\ffGC5_readme_.txt

MD5 dd244f9d9c7a6064b60f9e03800e2087
SHA1 a88775094ec99d7a4fd993a4cc68c2ca5bafa76f
SHA256 2bc58e9344e5dd74b22afe3c6cbea7a5ba866c6da34d4aeb3b877380a8037585
SHA512 a8cbebe9993750295b4604f2f850a855ed96372a0f40e8f5f6df2a62da9393f45bb6b92435591227de27533c90d1399d5ea35a479c2731c69c5baf52f7557a50

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

MD5 0b486fe0503524cfe4726a4022fa6a68
SHA1 297dea71d489768ce45d23b0f8a45424b469ab00
SHA256 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512 f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 13:35

Reported

2024-04-02 13:38

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

Signatures

Avaddon

ransomware avaddon

Avaddon payload

Description Indicator Process Target
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\wbem\wmic.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Deletes shadow copies

ransomware

Renames multiple (177) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\ab.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ab.exe

"C:\Users\Admin\AppData\Local\Temp\ab.exe"

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp

Files

C:\Users\Admin\Desktop\5eBcu1_readme_.txt

MD5 64055e7098324db0cadc65eca6886fea
SHA1 b33a6d25dd4e9056e32290d9b2b13b77f867155d
SHA256 c9b92411c9181c730cc756a33e830c20c0d196fd4b8ab6d54941125302eba4e0
SHA512 770e2c5f4326bd5d1c5ace2ab8479759d447242bdd25edd03aa075b43289bc22d1c82330979e72fdb2575d47fc32c00ae696f8a767a716212b8f91aee2a485a9

C:\Users\Admin\Desktop\5eBcu1_readme_.txt

MD5 e794e03ccdc36f40d9f15c10dafd3148
SHA1 615dc43611460d91cccdd8af78503b962ad9161d
SHA256 aa074953c7964e490eca40a1e4b554a579d896dd509e61d3c5f48ff78e18a46f
SHA512 9b732c46b3e75d29cee159b4819c83ca9b7c82ae711bf69a61497366a51150212dc8e546514ee7d99f97c5720481f249445e8d602520ee9f2760ffc23bb4fba2

C:\Users\Admin\Documents\5eBcu1_readme_.txt

MD5 e7b9c735ebc5a1f96ab8074818af42c3
SHA1 662f99ebe7c00a5739c28bc8756536f0a0835d6d
SHA256 a0e738b31dbd3a898aca0cf2c44a05445204d8ef0cce8b83cb44429e9bd07861
SHA512 449f27559aeb84bfc9feede1e066fc4bcb64f5d9055068b735664f3e829956c056441b008e1c53188375e49bef8501fa60a1f69b463eeaff2041583714deb39c

C:\Users\Admin\Music\5eBcu1_readme_.txt

MD5 e28d459ca29ad863476548fbc669e6f6
SHA1 f381d35bf2ecab5dd482575363bb1581590bfd2a
SHA256 c73d04315907ce555e15dfc4323917ee2e9e787dfd86c2e063277d3b708546a5
SHA512 6809b48558d81fff8f030a8ab077a9dcab6f7ea58648e460a3e25987e0a6a1f8f62494ef5324ee98e776d0d70a571ee65427fbbaefe8145827b1f3ac7e28f5e5

C:\Users\Admin\Pictures\5eBcu1_readme_.txt

MD5 3b3dd0083401ab1bbedcd1a25328c25a
SHA1 52667b1291be9122e6170e856a9a739d04b13ad9
SHA256 9a78cebcbe35b78874b4b82fd332335fa97991c30270c90be57212dc24fbd9ef
SHA512 f82d3757ed123c426844219cb265dfaf770be83a909fd3e4789592ede6865a729bab3b36a7c227adb80ce191b687ff1e2d341a3bc1ac3131de1422614865271b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ab.exe

MD5 0b486fe0503524cfe4726a4022fa6a68
SHA1 297dea71d489768ce45d23b0f8a45424b469ab00
SHA256 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512 f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619