Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Avaddon Ransomware

Overview

General Information

Sample Name:Avaddon Ransomware (renamed file extension from none to exe)
Analysis ID:280693
MD5:275e4a63fc63c995b3e0d464919f211b
SHA1:51d85210c2f621ca14d92a8375ee24d62f9d7f44
SHA256:cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46

Most interesting Screenshot:

Detection

Avaddon
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Avaddon Ransomware
Deletes shadow drive data (may be related to ransomware)
Modifies existing user documents (likely ransomware behavior)
Spreads via windows shares (copies files to share folders)
Writes many files with high entropy
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Yara signature match

Classification

Startup

  • System is w10x64
  • Avaddon Ransomware.exe (PID: 1984 cmdline: 'C:\Users\user\Desktop\Avaddon Ransomware.exe' MD5: 275E4A63FC63C995B3E0D464919F211B)
    • WMIC.exe (PID: 6188 cmdline: wmic.exe SHADOWCOPY /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vssadmin.exe (PID: 5312 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 6696 cmdline: wmic.exe SHADOWCOPY /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vssadmin.exe (PID: 6852 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)
      • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 6748 cmdline: wmic.exe SHADOWCOPY /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vssadmin.exe (PID: 6804 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)
      • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Avaddon Ransomware.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0xb26ef:$s1: http://
  • 0xb272c:$s1: http://
  • 0xb2ad0:$s1: http://
  • 0xb2afc:$s1: http://
  • 0xb2b3a:$s1: http://
  • 0xb3017:$s1: http://
  • 0xb3050:$s1: http://
  • 0xb30ec:$s1: http://
  • 0xb3112:$s1: http://
  • 0xb351f:$s1: http://
  • 0xb3545:$s1: http://
  • 0xb3598:$s1: http://
  • 0xb35da:$s1: http://
  • 0xb3646:$s1: http://
  • 0x88ba6:$s2: &::>=taa
  • 0xb30a9:$s2: https://
  • 0xb26ef:$f1: http://
  • 0xb272c:$f1: http://
  • 0xb2ad0:$f1: http://
  • 0xb2afc:$f1: http://
  • 0xb2b3a:$f1: http://

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txtJoeSecurity_AvaddonYara detected Avaddon RansomwareJoe Security
    C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txtJoeSecurity_AvaddonYara detected Avaddon RansomwareJoe Security
      C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txtJoeSecurity_AvaddonYara detected Avaddon RansomwareJoe Security
        C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txtJoeSecurity_AvaddonYara detected Avaddon RansomwareJoe Security
          C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txtJoeSecurity_AvaddonYara detected Avaddon RansomwareJoe Security
            Click to see the 41 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000001.00000003.256391055.0000000005602000.00000004.00000001.sdmpJoeSecurity_AvaddonYara detected Avaddon RansomwareJoe Security
              00000001.00000003.271836346.0000000005602000.00000004.00000001.sdmpJoeSecurity_AvaddonYara detected Avaddon RansomwareJoe Security
                00000001.00000003.273042798.0000000005600000.00000004.00000001.sdmpJoeSecurity_AvaddonYara detected Avaddon RansomwareJoe Security
                  00000001.00000003.264680432.0000000005602000.00000004.00000001.sdmpJoeSecurity_AvaddonYara detected Avaddon RansomwareJoe Security
                    00000001.00000003.241218830.0000000005479000.00000004.00000001.sdmpJoeSecurity_AvaddonYara detected Avaddon RansomwareJoe Security
                      Click to see the 195 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      1.0.Avaddon Ransomware.exe.1390000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
                      • 0x88ba6:$s2: &::>=taa

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: Avaddon Ransomware.exeAvira: detected
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Avaddon Ransomware.exeVirustotal: Detection: 11%Perma Link
                      Source: Avaddon Ransomware.exeReversingLabs: Detection: 27%

                      Spreading:

                      barindex
                      Spreads via windows shares (copies files to share folders)Show sources
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Z:\$RECYCLE.BINJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002Jump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: z:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: x:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: v:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: t:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: r:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: p:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: n:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: l:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: j:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: h:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: f:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: b:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: y:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: w:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: u:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: s:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: q:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: o:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: m:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: k:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: i:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: g:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: e:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: c:
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened: a:
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://ocsp.digicert.com0H
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://ocsp.digicert.com0I
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://ocsp.thawte.com0
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                      Source: Avaddon Ransomware.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: Avaddon Ransomware.exeString found in binary or memory: https://www.digicert.com/CPS0
                      Source: Avaddon Ransomware.exe, 00000001.00000003.256391055.0000000005602000.00000004.00000001.sdmp, fZYgl_readme_.txt19.1.drString found in binary or memory: https://www.torproject.org/

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Yara detected Avaddon RansomwareShow sources
                      Source: Yara matchFile source: 00000001.00000003.256391055.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.271836346.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.273042798.0000000005600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.264680432.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.241218830.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.274094919.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.249106511.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.278071397.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.280784608.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.239659598.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.256935911.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.246159593.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.259153527.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.285574850.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.277117984.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.271241687.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.277595306.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.265198501.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.243381131.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.257858971.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.277067431.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.259320782.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.291234965.0000000004C7B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.256197292.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.264809143.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.265443740.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.236505260.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.236486892.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.253923836.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.255526106.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.295428205.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.294995918.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.277431781.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.273748481.0000000005600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.274846566.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.237144928.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.251212605.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.264154370.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.238710461.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.288236043.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.245613044.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.257935061.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.278897772.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.293189263.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.267370759.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.254994601.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.240173246.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.274456133.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.304981377.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.270300423.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.286367767.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.269530971.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.263667539.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.258161115.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.289850906.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.300629725.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.272916779.0000000005600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.305329732.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.270200898.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.293787173.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.266558071.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.253671306.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.237389542.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.294617934.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.276276154.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.240262452.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.239883492.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.263872253.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.269137977.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.278685234.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283560648.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.249688202.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.293940716.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.290424092.0000000004C7B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283340912.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.262844027.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.259283734.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.238014797.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.271572456.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.256430089.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.258360856.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.288356135.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.275757453.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.238102860.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.240874333.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.273201979.0000000005600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.244243849.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.267868691.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.269094798.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.254283817.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.275569270.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.241734772.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.278437674.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.272990796.0000000005600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.232860696.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.260772294.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.272048354.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.267701094.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.274957702.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.266152517.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.279006664.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.284798276.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.273917646.0000000005600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.247615394.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.257996273.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.261652206.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.274507818.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.261331732.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.281405397.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283282754.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.265915429.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.269705439.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.275053165.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.255117642.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.292663447.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.291375757.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.241056750.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.290023557.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.237808058.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.278752961.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.280293835.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.236423394.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.236874963.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.302524542.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.247109477.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.275645069.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.280206009.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.278135737.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.240730923.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.293364472.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.265306552.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.265069037.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.239116374.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.279316481.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.302993593.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.242967068.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.283137568.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.275366477.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.253539368.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.247825321.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.245818641.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.241711373.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.238965909.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.246281224.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.245673986.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.275699440.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.265680740.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.272578748.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.289749651.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.238841689.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.277677530.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.264457762.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.291089251.0000000004C7B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.244500544.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.292685822.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.278500716.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.249267064.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.236953582.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.258289655.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.263620413.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.239376251.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.277317994.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.257574966.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.293128701.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.289880823.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.300785633.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.277231069.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.236768091.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.246612662.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.280651645.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.273445243.0000000005600000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.291801736.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.245471047.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.243866179.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.266946380.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.253428183.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.272155347.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.281960602.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.253196946.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.259661460.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.268383242.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.240669318.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.300465803.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.260820501.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.236092077.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.240224782.0000000005479000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.276533372.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.281236726.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.281511356.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.244934097.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.270067455.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.246322680.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.303269378.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.277906747.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.264875600.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.240969302.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.245735454.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.294813449.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.263844095.0000000005602000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Avaddon Ransomware.exe PID: 1984, type: MEMORY
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Source: Yara matchFile source: C:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txt, type: DROPPED
                      Deletes shadow drive data (may be related to ransomware)Show sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: vssadmin.exe, 00000005.00000002.194132223.0000000003820000.00000004.00000040.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quiet
                      Source: vssadmin.exe, 00000005.00000002.194006335.00000000034C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
                      Source: vssadmin.exe, 00000005.00000002.194006335.00000000034C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
                      Source: vssadmin.exe, 00000005.00000002.194006335.00000000034C0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
                      Source: vssadmin.exe, 00000005.00000002.194006335.00000000034C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
                      Source: vssadmin.exe, 00000005.00000002.194006335.00000000034C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
                      Source: vssadmin.exe, 00000005.00000002.194076681.0000000003577000.00000004.00000020.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005312- TID: 00006484- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 00000005.00000002.194076681.0000000003577000.00000004.00000020.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005312- TID: 00006484- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 2
                      Source: vssadmin.exe, 00000005.00000002.193954930.0000000003420000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default
                      Source: vssadmin.exe, 00000005.00000002.194065223.0000000003570000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=RMDIWSRUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
                      Source: vssadmin.exe, 00000005.00000002.194065223.0000000003570000.00000004.00000020.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                      Source: vssadmin.exe, 00000005.00000002.194065223.0000000003570000.00000004.00000020.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /QuietM
                      Source: vssadmin.exe, 00000005.00000002.193536987.0000000002FDC000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005312- TID: 00006484- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
                      Source: vssadmin.exe, 0000000A.00000002.201881709.0000000003120000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default41
                      Source: vssadmin.exe, 0000000A.00000002.201377654.0000000002D5B000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006852- TID: 00006872- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 0000000A.00000002.201377654.0000000002D5B000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006852- TID: 00006872- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
                      Source: vssadmin.exe, 0000000E.00000002.215242717.0000000003220000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default
                      Source: vssadmin.exe, 0000000E.00000002.215678172.00000000033F7000.00000004.00000020.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006804- TID: 00006744- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 0000000E.00000002.215766264.0000000003580000.00000004.00000040.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/QuietU
                      Source: vssadmin.exe, 0000000E.00000002.215661251.00000000033F0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=RMDIWSRUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
                      Source: vssadmin.exe, 0000000E.00000002.215661251.00000000033F0000.00000004.00000020.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                      Source: vssadmin.exe, 0000000E.00000002.209393713.00000000030AB000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006804- TID: 00006744- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
                      Modifies existing user documents (likely ransomware behavior)Show sources
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile moved: C:\Users\user\Desktop\MQAWXUYAIK.xlsxJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile deleted: C:\Users\user\Desktop\MQAWXUYAIK.xlsxJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile moved: C:\Users\user\Desktop\MNULNCRIYC.pdfJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile deleted: C:\Users\user\Desktop\MNULNCRIYC.pdfJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile moved: C:\Users\user\Desktop\MQAWXUYAIK\MQAWXUYAIK.docxJump to behavior
                      Writes many files with high entropyShow sources
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.mui entropy: 7.99767352248Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\bootmgr.efi entropy: 7.99982785052Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\bootmgfw.efi entropy: 7.99984853428Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\bg-BG\bootmgfw.efi.mui entropy: 7.99757968095Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\cs-CZ\memtest.efi.mui entropy: 7.99611311442Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\cs-CZ\bootmgfw.efi.mui entropy: 7.99765785664Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\cs-CZ\bootmgr.efi.mui entropy: 7.99743927094Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\da-DK\memtest.efi.mui entropy: 7.99573072181Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\de-DE\bootmgfw.efi.mui entropy: 7.99811900261Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\da-DK\bootmgfw.efi.mui entropy: 7.99773632677Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\da-DK\bootmgr.efi.mui entropy: 7.99806998468Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\el-GR\bootmgfw.efi.mui entropy: 7.9978620277Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\de-DE\memtest.efi.mui entropy: 7.99663634949Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\de-DE\bootmgr.efi.mui entropy: 7.99772507867Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\el-GR\memtest.efi.mui entropy: 7.99630769331Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\el-GR\bootmgr.efi.mui entropy: 7.99745550319Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\en-GB\bootmgr.efi.mui entropy: 7.99779634113Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\en-GB\bootmgfw.efi.mui entropy: 7.99776121437Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\en-US\bootmgfw.efi.mui entropy: 7.99801499242Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\es-ES\bootmgfw.efi.mui entropy: 7.99784014069Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\en-US\bootmgr.efi.mui entropy: 7.99783245141Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\en-US\memtest.efi.mui entropy: 7.99641729741Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\es-ES\bootmgr.efi.mui entropy: 7.9977966399Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\es-ES\memtest.efi.mui entropy: 7.99648254181Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\es-MX\bootmgr.efi.mui entropy: 7.99804511823Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\es-MX\bootmgfw.efi.mui entropy: 7.99784604376Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\et-EE\bootmgfw.efi.mui entropy: 7.99756062472Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\et-EE\bootmgr.efi.mui entropy: 7.99752504537Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\fi-FI\bootmgfw.efi.mui entropy: 7.99764577312Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\fi-FI\memtest.efi.mui entropy: 7.99568947322Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\fi-FI\bootmgr.efi.mui entropy: 7.99775419813Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\fr-FR\bootmgr.efi.mui entropy: 7.99833554439Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\fr-CA\bootmgr.efi.mui entropy: 7.99814941145Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\fr-CA\bootmgfw.efi.mui entropy: 7.99727479037Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\fr-FR\memtest.efi.mui entropy: 7.99662548001Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\fr-FR\bootmgfw.efi.mui entropy: 7.99778568986Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\hr-HR\bootmgfw.efi.mui entropy: 7.99791449203Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\hr-HR\bootmgr.efi.mui entropy: 7.99794631558Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\hu-HU\bootmgfw.efi.mui entropy: 7.9978806884Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\hu-HU\bootmgr.efi.mui entropy: 7.99814847876Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\hu-HU\memtest.efi.mui entropy: 7.99670299437Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\it-IT\bootmgfw.efi.mui entropy: 7.99790660098Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\it-IT\bootmgr.efi.mui entropy: 7.99780119478Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\it-IT\memtest.efi.mui entropy: 7.99666687365Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ja-JP\bootmgfw.efi.mui entropy: 7.99752471793Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ja-JP\bootmgr.efi.mui entropy: 7.99735985188Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ja-JP\memtest.efi.mui entropy: 7.99634653772Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ko-KR\bootmgfw.efi.mui entropy: 7.99764806173Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ko-KR\memtest.efi.mui entropy: 7.99645138184Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ko-KR\bootmgr.efi.mui entropy: 7.99676070823Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\lt-LT\bootmgfw.efi.mui entropy: 7.99809263606Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\lt-LT\bootmgr.efi.mui entropy: 7.99777143253Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\lv-LV\bootmgfw.efi.mui entropy: 7.99758687714Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\lv-LV\bootmgr.efi.mui entropy: 7.9979469535Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\nb-NO\bootmgfw.efi.mui entropy: 7.99807701012Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\memtest.efi entropy: 7.99980308254Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\nb-NO\bootmgr.efi.mui entropy: 7.99777042299Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\nb-NO\memtest.efi.mui entropy: 7.99653031528Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\nl-NL\bootmgr.efi.mui entropy: 7.99764284228Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\nl-NL\bootmgfw.efi.mui entropy: 7.99792559087Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\nl-NL\memtest.efi.mui entropy: 7.99601190015Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\pl-PL\bootmgfw.efi.mui entropy: 7.99760101807Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\pl-PL\bootmgr.efi.mui entropy: 7.9977897217Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\pl-PL\memtest.efi.mui entropy: 7.99649027566Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\pt-BR\bootmgfw.efi.mui entropy: 7.99770748652Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\pt-BR\bootmgr.efi.mui entropy: 7.99774535166Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\pt-BR\memtest.efi.mui entropy: 7.99599733719Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\pt-PT\bootmgr.efi.mui entropy: 7.99767871794Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\pt-PT\bootmgfw.efi.mui entropy: 7.99767433907Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\pt-PT\memtest.efi.mui entropy: 7.99609785796Jump to dropped file
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ro-RO\bootmgr.efi.mui entropy: 7.99743311973
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ro-RO\bootmgfw.efi.mui entropy: 7.9979231121
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\qps-ploc\memtest.efi.mui entropy: 7.9966502389
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ru-RU\bootmgfw.efi.mui entropy: 7.99777411558
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ru-RU\bootmgr.efi.mui entropy: 7.99747147837
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\sk-SK\bootmgfw.efi.mui entropy: 7.99797661226
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\ru-RU\memtest.efi.mui entropy: 7.99639212899
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\sl-SI\bootmgr.efi.mui entropy: 7.99801438611
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\sk-SK\bootmgr.efi.mui entropy: 7.99785601585
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\sl-SI\bootmgfw.efi.mui entropy: 7.99791349688
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\sr-Latn-RS\bootmgr.efi.mui entropy: 7.99804827548
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\sr-Latn-RS\bootmgfw.efi.mui entropy: 7.998230714
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\sv-SE\bootmgfw.efi.mui entropy: 7.99753156795
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\sv-SE\memtest.efi.mui entropy: 7.99639626105
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\sv-SE\bootmgr.efi.mui entropy: 7.99782765987
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\tr-TR\bootmgfw.efi.mui entropy: 7.99771351628
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\tr-TR\memtest.efi.mui entropy: 7.99594786482
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\tr-TR\bootmgr.efi.mui entropy: 7.9980529753
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\uk-UA\bootmgr.efi.mui entropy: 7.99777663786
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\uk-UA\bootmgfw.efi.mui entropy: 7.99763433977
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\zh-CN\bootmgfw.efi.mui entropy: 7.99680187041
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\EFI\Microsoft\Boot\zh-CN\bootmgr.efi.mui entropy: 7.99725274242
                      Source: Avaddon Ransomware.exe, 00000001.00000000.179249498.000000000143C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametaskhost.exej% vs Avaddon Ransomware.exe
                      Source: Avaddon Ransomware.exe, 00000001.00000003.257152167.0000000005850000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebootmgr.exej% vs Avaddon Ransomware.exe
                      Source: Avaddon Ransomware.exe, 00000001.00000003.235621401.0000000005850000.00000004.00000001.sdmpBinary or memory string: .rsrcfr-cafr-fres-mxes-eszh-hkzh-twVS_VERSION_INFOStringFileInfoOriginalFilenameMUI%s\%s\%s.MUIMUI: %s checksum does not match primary file checksum vs Avaddon Ransomware.exe
                      Source: Avaddon Ransomware.exeBinary or memory string: OriginalFilenametaskhost.exej% vs Avaddon Ransomware.exe
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: propsys.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: napinsp.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: pnrpnsp.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: nlaapi.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: winrnr.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeSection loaded: cscapi.dll
                      Source: Avaddon Ransomware.exe, type: SAMPLEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                      Source: 1.0.Avaddon Ransomware.exe.1390000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                      Source: classification engineClassification label: mal80.rans.spre.winEXE@19/219@0/0
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A2BBD235-8D0F-42CD-81A3-89A4E9EE96E7}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_01
                      Source: Avaddon Ransomware.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile read: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: Avaddon Ransomware.exeVirustotal: Detection: 11%
                      Source: Avaddon Ransomware.exeReversingLabs: Detection: 27%
                      Source: unknownProcess created: C:\Users\user\Desktop\Avaddon Ransomware.exe 'C:\Users\user\Desktop\Avaddon Ransomware.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile written: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
                      Source: Avaddon Ransomware.exeStatic PE information: certificate valid
                      Source: Avaddon Ransomware.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: Avaddon Ransomware.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: Avaddon Ransomware.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: Avaddon Ransomware.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Avaddon Ransomware.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: Avaddon Ransomware.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: Avaddon Ransomware.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Avaddon Ransomware.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: bootmgfw.pdb source: Avaddon Ransomware.exe, 00000001.00000003.235650828.0000000005863000.00000004.00000001.sdmp
                      Source: Binary string: bootmgfw.pdbO source: Avaddon Ransomware.exe, 00000001.00000003.235650828.0000000005863000.00000004.00000001.sdmp
                      Source: Avaddon Ransomware.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: Avaddon Ransomware.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: Avaddon Ransomware.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: Avaddon Ransomware.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: Avaddon Ransomware.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\bg-BG\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\cs-CZ\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\da-DK\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\de-DE\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\el-GR\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\en-GB\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\en-US\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\es-ES\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\user\Desktop\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\es-MX\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\user\Desktop\MQAWXUYAIK\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\et-EE\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\fi-FI\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\fr-FR\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\fr-CA\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\hr-HR\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\user\Desktop\XQACHMZIHU\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\hu-HU\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\it-IT\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\user\Documents\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\ja-JP\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\user\Documents\MQAWXUYAIK\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\ko-KR\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\lt-LT\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\lv-LV\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\nb-NO\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\user\Documents\XQACHMZIHU\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\nl-NL\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\pl-PL\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\user\Downloads\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\pt-BR\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\user\Favorites\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\pt-PT\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\ro-RO\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\qps-ploc\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\ru-RU\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\sk-SK\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\sl-SI\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\user\Searches\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\sr-Latn-RS\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\sv-SE\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\tr-TR\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\uk-UA\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: C:\Users\Public\Libraries\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile created: Y:\EFI\Microsoft\Boot\zh-CN\fZYgl_readme_.txtJump to behavior
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeFile Volume queried: C:\ FullSizeInformation
                      Source: Avaddon Ransomware.exe, 00000001.00000003.257152167.0000000005850000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: WMIC.exe, 00000002.00000002.189311781.0000000003180000.00000002.00000001.sdmp, vssadmin.exe, 00000005.00000002.194248460.0000000004F80000.00000002.00000001.sdmp, WMIC.exe, 00000008.00000002.198341577.00000000031A0000.00000002.00000001.sdmp, vssadmin.exe, 0000000A.00000002.202293372.0000000004CC0000.00000002.00000001.sdmp, WMIC.exe, 0000000C.00000002.206428711.00000000030D0000.00000002.00000001.sdmp, vssadmin.exe, 0000000E.00000002.215823835.0000000004E30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Avaddon Ransomware.exe, 00000001.00000003.261374416.000000000101F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WMIC.exe, 00000002.00000002.189311781.0000000003180000.00000002.00000001.sdmp, vssadmin.exe, 00000005.00000002.194248460.0000000004F80000.00000002.00000001.sdmp, WMIC.exe, 00000008.00000002.198341577.00000000031A0000.00000002.00000001.sdmp, vssadmin.exe, 0000000A.00000002.202293372.0000000004CC0000.00000002.00000001.sdmp, WMIC.exe, 0000000C.00000002.206428711.00000000030D0000.00000002.00000001.sdmp, vssadmin.exe, 0000000E.00000002.215823835.0000000004E30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: WMIC.exe, 00000002.00000002.189311781.0000000003180000.00000002.00000001.sdmp, vssadmin.exe, 00000005.00000002.194248460.0000000004F80000.00000002.00000001.sdmp, WMIC.exe, 00000008.00000002.198341577.00000000031A0000.00000002.00000001.sdmp, vssadmin.exe, 0000000A.00000002.202293372.0000000004CC0000.00000002.00000001.sdmp, WMIC.exe, 0000000C.00000002.206428711.00000000030D0000.00000002.00000001.sdmp, vssadmin.exe, 0000000E.00000002.215823835.0000000004E30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: Avaddon Ransomware.exe, 00000001.00000003.231980229.0000000001021000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: WMIC.exe, 00000002.00000002.189311781.0000000003180000.00000002.00000001.sdmp, vssadmin.exe, 00000005.00000002.194248460.0000000004F80000.00000002.00000001.sdmp, WMIC.exe, 00000008.00000002.198341577.00000000031A0000.00000002.00000001.sdmp, vssadmin.exe, 0000000A.00000002.202293372.0000000004CC0000.00000002.00000001.sdmp, WMIC.exe, 0000000C.00000002.206428711.00000000030D0000.00000002.00000001.sdmp, vssadmin.exe, 0000000E.00000002.215823835.0000000004E30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\BCD VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\boot.stl VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\bootmgfw.efi VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\bootmgr.efi VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\bg-BG\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\cs-CZ\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\cs-CZ\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\cs-CZ\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\da-DK\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\da-DK\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\da-DK\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\de-DE\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\de-DE\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\de-DE\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\el-GR\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\el-GR\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\el-GR\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\en-GB\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\en-GB\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\en-US\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\en-US\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\en-US\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\es-ES\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\es-ES\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\DTBZGIOOSO.mp3 VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\es-ES\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\FACWLRWHGG.pdf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\es-MX\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\es-MX\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\MNULNCRIYC.mp3 VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\MNULNCRIYC.pdf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK\DTBZGIOOSO.mp3 VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK\MNULNCRIYC.pdf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\et-EE\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK\MQAWXUYAIK.docx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\et-EE\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK\NHPKIZUUSG.png VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK\QVTVNIBKSD.xlsx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK.docx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK\TQDGENUHWP.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\fi-FI\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\fi-FI\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK.xlsx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\fi-FI\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\NHPKIZUUSG.png VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\PSAMNLJHZW.png VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\QVTVNIBKSD.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\QVTVNIBKSD.xlsx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\fr-CA\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\fr-CA\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\fr-FR\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\TQDGENUHWP.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\fr-FR\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\fr-FR\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\hr-HR\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\hr-HR\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU\FACWLRWHGG.pdf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU\MNULNCRIYC.mp3 VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU\MQAWXUYAIK.xlsx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU\PSAMNLJHZW.png VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU\XQACHMZIHU.docx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU\QVTVNIBKSD.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\hu-HU\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\hu-HU\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\hu-HU\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU.docx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\it-IT\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\it-IT\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\it-IT\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\FACWLRWHGG.pdf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\DTBZGIOOSO.mp3 VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\MNULNCRIYC.mp3 VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\MNULNCRIYC.pdf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ja-JP\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ja-JP\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ja-JP\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\MQAWXUYAIK\DTBZGIOOSO.mp3 VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\MQAWXUYAIK\MNULNCRIYC.pdf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\MQAWXUYAIK\MQAWXUYAIK.docx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\MQAWXUYAIK\NHPKIZUUSG.png VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\MQAWXUYAIK\QVTVNIBKSD.xlsx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ko-KR\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ko-KR\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ko-KR\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\MQAWXUYAIK\TQDGENUHWP.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\MQAWXUYAIK.docx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\MQAWXUYAIK.xlsx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\NHPKIZUUSG.png VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\lt-LT\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\lt-LT\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\PSAMNLJHZW.png VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\QVTVNIBKSD.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\QVTVNIBKSD.xlsx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\lv-LV\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\lv-LV\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\TQDGENUHWP.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\memtest.efi VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\nb-NO\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU\FACWLRWHGG.pdf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\nb-NO\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU\MNULNCRIYC.mp3 VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\nb-NO\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU\MQAWXUYAIK.xlsx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU\PSAMNLJHZW.png VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU\XQACHMZIHU.docx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU\QVTVNIBKSD.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\nl-NL\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU.docx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\nl-NL\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\nl-NL\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\pl-PL\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\FACWLRWHGG.pdf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\DTBZGIOOSO.mp3 VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\MNULNCRIYC.mp3 VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\pl-PL\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\MNULNCRIYC.pdf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\MQAWXUYAIK.docx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\MQAWXUYAIK.xlsx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\pl-PL\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\NHPKIZUUSG.png VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\PSAMNLJHZW.png VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\QVTVNIBKSD.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\QVTVNIBKSD.xlsx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\TQDGENUHWP.jpg VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-BR\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-BR\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-BR\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Downloads\XQACHMZIHU.docx VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Favorites\Bing.url VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Favorites\Amazon.url VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-PT\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-PT\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Favorites\Facebook.url VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Favorites\Google.url VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\pt-PT\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Favorites\Live.url VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ro-RO\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Favorites\Reddit.url VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Favorites\NYTimes.url VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Favorites\Twitter.url VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Favorites\Wikipedia.url VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Favorites\Youtube.url VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ro-RO\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\qps-ploc\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ru-RU\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ru-RU\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\ru-RU\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\sk-SK\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\sk-SK\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\sl-SI\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\sl-SI\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Searches\Everywhere.search-ms VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\sr-Latn-RS\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\sr-Latn-RS\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\user\Searches\Indexed Locations.search-ms VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\sv-SE\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\sv-SE\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\sv-SE\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\tr-TR\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\tr-TR\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\tr-TR\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\uk-UA\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\uk-UA\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\Users\Public\Libraries\RecordedTV.library-ms VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\winsipolicy.p7b VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-CN\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-CN\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-CN\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-TW\bootmgfw.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-TW\bootmgr.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\zh-TW\memtest.efi.mui VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeQueries volume information: C:\EFI\Microsoft\Boot\Fonts\chs_boot.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Avaddon Ransomware.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Replication Through Removable Media1Windows Management InstrumentationDLL Side-Loading1Process Injection11Masquerading1OS Credential DumpingQuery Registry1Taint Shared Content1Data from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery21Replication Through Removable Media1Data from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsPeripheral Device Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet