Overview

overview

10

Static

static

10

46a8c1e768...75.exe

windows7-x64

10

46a8c1e768...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe

  • Size

    775KB

  • MD5

    c19084114c85192dacfed89a92da6837

  • SHA1

    a1d6461e833813ccfb77a6929de43ab5383dbb98

  • SHA256

    46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675

  • SHA512

    cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e

  • SSDEEP

    24576:+CsD9+OXLpMePfI8TgmBTCDqEbOpPtpFafxfq:YcOXLpMePfzVTCD7gPtLapfq

Score
10/10
avaddonevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\iTPlwH0_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bBeecbbBE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1SUzlIRzJBaDRrOEpDMkppQys4ejNVb2N6bjUxSWhzMnJqYXRsdUx5YkhFeHlRYldUS0JmOWxsQ05wYlJVdndSNUVzMC9HSjFiNDZnMEt3TUhmNVVjcyt0V0NCbmR2V1craVVCTmFmSVA5YWJ3eTc4T0xKVWt3R2VxSkw5QUxLT3JkZEI5ZDdKV1Q2Wk9nS3ZwVkljK1dtYnBEMzNYaXp2a0QvUjZ1MTJhZ05JSndEcmhWMW9NOElhUUxmYWFuelAzcWQwcTFIMGo3S1B4VTVTNWUwOTRFbDZ6aEJ0VThBc1Q5Y3ZXNFpZUjRKNStpOHlUOXZJbWxWcEdldzdhNnVIYjV1NHdFeTFBZmxNbDFNY0ZFQlAwVE1OREpXNitJbFk2S3lwbnlYMU5jdUdBbVlxQThuWkVSbnlvOFpJcVZNeWNXVVRQeHZJb05kdlNSdDVsNE40eEtJL3hFYnNuUVhibk11UHVUb3dnSkFFSGwxNVlVUTNOWXlIMUYrckExQ2FBc1RiMCtxMlNmYU42RUZFYXdML2pKZ3A1V2p5RWFOdERRcEtIVDBhVGs2TTYxU2wxSXMzVStUbU9QOURvQzdGNC9NRnNoRXNnblJTcUh3QlVvRVdMWCtYSkw1SHF6bitiMmlIbUdnaVVHd0hGMzhRbjJhTTJMbGU1VG9nbGpCc0g0TG9QUFhoQ1J0VWpUVDhMOEN3RDdmMThCMFpuWGJKTnhkeHNJTURWaldGck9sNkQxYUNUZzRkZzZoMkRmbmhuSWUyRHVjdDhLeDdDYm95TzFnWHNxQ2FNUHBMSlRwOE4rbVlnNllVcFFwKy8yaUR6QzIvL3hQL1Y1TVE3VDIrTHVFeXRaV29NR0FPOWFOTDlQbVZ6ckNNallOVjFPNHR1WWlMaHIwRjJsVGhZdVFoVEtLaWFZZVlOQytYYVE0N2wzdndMUnI3eWdRVDN6TEdSOEJicnB2ME1VclZKbTdOdDNyQXZRUllpbCt4dEJtUFB0VlpNMnpWTlJkellMZ2ZDSjJ3Ky9GbUxaTnQ0d2RvZ01GYUMzQ2p6ZEd5U2lwdUlQVzJIb3ZKUlBJUEYvaHAvRFRVUEJwOXhLOTRkdXJkcU04dGVMdzRsMFMyRk92YnBDZ2hZNURWNDBSeHJ2bEllb05sVTM4TnNsOVFWNkpaeUlsOVBsZnN6UENPb1ZValpUenZLUlNGam5HODhZY2xPaVdCVXZaTVY4dk50d3ZsNVMzdFZGcFFDT0I0YUlZN00rTmh5Rjh5U3ZhUWliMWtBOFYvTFFMbWZudVd5VmhoYzBzT3pBeEJJaktkdkVVbmJiMHA2RStDcllzWVF2YUFndU5YaFVaeFYwWmt0ckd3WTZWRUlHNHlKY3RodU50eFdsVklTWUJRSXB0eDFVUHNHQWdBcTNJRkx1b3pMNUNKcDIzTHc2anZjRCtvdTNqWVMza3ZIeVdRNEJkNGU4em9NeFpBV2ZNVjRTM1c3cFhJUnp0Wjc1QUl2K1ZUUzlLSlI5YUEzSzc4SUlkT2RpRXRjOS9FcTZJNWd2dkcvVVNQOXJ6V1dhLzlweEk5UE16WU5GTFdNVEpreGF1eXVrQ2lyZkY5YVdqbm9BdGdsdElhQ0lUSnhDZC80MUZvLytTLzFVTkttZHBWcXdpVHNFSmFBa1dnRGpxTjdwYlZtRStqc2RVelczMnpVd084VThQZElnZjdNOXRmWm5JaEY4Z2VTYWgrNm1neFcvM21tTytveFBBdWtpUEJyaWsrWDVaY2VKTEZ1SndkY1JWUGE4U3Q5ajJlSUowMHpHekpDNzlDNkltMmpXb0ZlUnVHOXQ2RUE0YllicjNYc2srRUxpdGlMUWkrajlPajQrUmRLdUR2Rm9GSDlwUUlBck9LQWJMSGcrWnV3d1FnY3RkVExHbGd3b25la0xwcFZtelY5RDdzb2dzWXg1K0NldW1ZeVJZTC84Y21WeXFwZnhtd1B6dE52bHpMQlZiNmo4bVM0TDU4UjAvWGJzUXZkSmhzaFJqb3BSODVva2NkSUxtYnQ5WmNkTDdrdVZFQkFpY2ZENUJWank4QStQcXh4ZUhsRFlPS3ZwdVp6eERWbURZYXpxQlA2bHFkYWlDMVRTR1ltVGZweDROWUIyWVp2RnN4anRRUk1RZ0p0Zz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * bvJFZAh
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Documents\iTPlwH0_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bBeecbbBE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1SUzlIRzJBaDRrOEpDMkppQys4ejNVb2N6bjUxSWhzMnJqYXRsdUx5YkhFeHlRYldUS0JmOWxsQ05wYlJVdndSNUVzMC9HSjFiNDZnMEt3TUhmNVVjcyt0V0NCbmR2V1craVVCTmFmSVA5YWJ3eTc4T0xKVWt3R2VxSkw5QUxLT3JkZEI5ZDdKV1Q2Wk9nS3ZwVkljK1dtYnBEMzNYaXp2a0QvUjZ1MTJhZ05JSndEcmhWMW9NOElhUUxmYWFuelAzcWQwcTFIMGo3S1B4VTVTNWUwOTRFbDZ6aEJ0VThBc1Q5Y3ZXNFpZUjRKNStpOHlUOXZJbWxWcEdldzdhNnVIYjV1NHdFeTFBZmxNbDFNY0ZFQlAwVE1OREpXNitJbFk2S3lwbnlYMU5jdUdBbVlxQThuWkVSbnlvOFpJcVZNeWNXVVRQeHZJb05kdlNSdDVsNE40eEtJL3hFYnNuUVhibk11UHVUb3dnSkFFSGwxNVlVUTNOWXlIMUYrckExQ2FBc1RiMCtxMlNmYU42RUZFYXdML2pKZ3A1V2p5RWFOdERRcEtIVDBhVGs2TTYxU2wxSXMzVStUbU9QOURvQzdGNC9NRnNoRXNnblJTcUh3QlVvRVdMWCtYSkw1SHF6bitiMmlIbUdnaVVHd0hGMzhRbjJhTTJMbGU1VG9nbGpCc0g0TG9QUFhoQ1J0VWpUVDhMOEN3RDdmMThCMFpuWGJKTnhkeHNJTURWaldGck9sNkQxYUNUZzRkZzZoMkRmbmhuSWUyRHVjdDhLeDdDYm95TzFnWHNxQ2FNUHBMSlRwOE4rbVlnNllVcFFwKy8yaUR6QzIvL3hQL1Y1TVE3VDIrTHVFeXRaV29NR0FPOWFOTDlQbVZ6ckNNallOVjFPNHR1WWlMaHIwRjJsVGhZdVFoVEtLaWFZZVlOQytYYVE0N2wzdndMUnI3eWdRVDN6TEdSOEJicnB2ME1VclZKbTdOdDNyQXZRUllpbCt4dEJtUFB0VlpNMnpWTlJkellMZ2ZDSjJ3Ky9GbUxaTnQ0d2RvZ01GYUMzQ2p6ZEd5U2lwdUlQVzJIb3ZKUlBJUEYvaHAvRFRVUEJwOXhLOTRkdXJkcU04dGVMdzRsMFMyRk92YnBDZ2hZNURWNDBSeHJ2bEllb05sVTM4TnNsOVFWNkpaeUlsOVBsZnN6UENPb1ZValpUenZLUlNGam5HODhZY2xPaVdCVXZaTVY4dk50d3ZsNVMzdFZGcFFDT0I0YUlZN00rTmh5Rjh5U3ZhUWliMWtBOFYvTFFMbWZudVd5VmhoYzBzT3pBeEJJaktkdkVVbmJiMHA2RStDcllzWVF2YUFndU5YaFVaeFYwWmt0ckd3WTZWRUlHNHlKY3RodU50eFdsVklTWUJRSXB0eDFVUHNHQWdBcTNJRkx1b3pMNUNKcDIzTHc2anZjRCtvdTNqWVMza3ZIeVdRNEJkNGU4em9NeFpBV2ZNVjRTM1c3cFhJUnp0Wjc1QUl2K1ZUUzlLSlI5YUEzSzc4SUlkT2RpRXRjOS9FcTZJNWd2dkcvVVNQOXJ6V1dhLzlweEk5UE16WU5GTFdNVEpreGF1eXVrQ2lyZkY5YVdqbm9BdGdsdElhQ0lUSnhDZC80MUZvLytTLzFVTkttZHBWcXdpVHNFSmFBa1dnRGpxTjdwYlZtRStqc2RVelczMnpVd084VThQZElnZjdNOXRmWm5JaEY4Z2VTYWgrNm1neFcvM21tTytveFBBdWtpUEJyaWsrWDVaY2VKTEZ1SndkY1JWUGE4U3Q5ajJlSUowMHpHekpDNzlDNkltMmpXb0ZlUnVHOXQ2RUE0YllicjNYc2srRUxpdGlMUWkrajlPajQrUmRLdUR2Rm9GSDlwUUlBck9LQWJMSGcrWnV3d1FnY3RkVExHbGd3b25la0xwcFZtelY5RDdzb2dzWXg1K0NldW1ZeVJZTC84Y21WeXFwZnhtd1B6dE52bHpMQlZiNmo4bVM0TDU4UjAvWGJzUXZkSmhzaFJqb3BSODVva2NkSUxtYnQ5WmNkTDdrdVZFQkFpY2ZENUJWank4QStQcXh4ZUhsRFlPS3ZwdVp6eERWbURZYXpxQlA2bHFkYWlDMVRTR1ltVGZweDROWUIyWVp2RnN4anRRUk1RZ0p0Zz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * xXvcuMTIwD
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\iTPlwH0_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bBeecbbBE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1SUzlIRzJBaDRrOEpDMkppQys4ejNVb2N6bjUxSWhzMnJqYXRsdUx5YkhFeHlRYldUS0JmOWxsQ05wYlJVdndSNUVzMC9HSjFiNDZnMEt3TUhmNVVjcyt0V0NCbmR2V1craVVCTmFmSVA5YWJ3eTc4T0xKVWt3R2VxSkw5QUxLT3JkZEI5ZDdKV1Q2Wk9nS3ZwVkljK1dtYnBEMzNYaXp2a0QvUjZ1MTJhZ05JSndEcmhWMW9NOElhUUxmYWFuelAzcWQwcTFIMGo3S1B4VTVTNWUwOTRFbDZ6aEJ0VThBc1Q5Y3ZXNFpZUjRKNStpOHlUOXZJbWxWcEdldzdhNnVIYjV1NHdFeTFBZmxNbDFNY0ZFQlAwVE1OREpXNitJbFk2S3lwbnlYMU5jdUdBbVlxQThuWkVSbnlvOFpJcVZNeWNXVVRQeHZJb05kdlNSdDVsNE40eEtJL3hFYnNuUVhibk11UHVUb3dnSkFFSGwxNVlVUTNOWXlIMUYrckExQ2FBc1RiMCtxMlNmYU42RUZFYXdML2pKZ3A1V2p5RWFOdERRcEtIVDBhVGs2TTYxU2wxSXMzVStUbU9QOURvQzdGNC9NRnNoRXNnblJTcUh3QlVvRVdMWCtYSkw1SHF6bitiMmlIbUdnaVVHd0hGMzhRbjJhTTJMbGU1VG9nbGpCc0g0TG9QUFhoQ1J0VWpUVDhMOEN3RDdmMThCMFpuWGJKTnhkeHNJTURWaldGck9sNkQxYUNUZzRkZzZoMkRmbmhuSWUyRHVjdDhLeDdDYm95TzFnWHNxQ2FNUHBMSlRwOE4rbVlnNllVcFFwKy8yaUR6QzIvL3hQL1Y1TVE3VDIrTHVFeXRaV29NR0FPOWFOTDlQbVZ6ckNNallOVjFPNHR1WWlMaHIwRjJsVGhZdVFoVEtLaWFZZVlOQytYYVE0N2wzdndMUnI3eWdRVDN6TEdSOEJicnB2ME1VclZKbTdOdDNyQXZRUllpbCt4dEJtUFB0VlpNMnpWTlJkellMZ2ZDSjJ3Ky9GbUxaTnQ0d2RvZ01GYUMzQ2p6ZEd5U2lwdUlQVzJIb3ZKUlBJUEYvaHAvRFRVUEJwOXhLOTRkdXJkcU04dGVMdzRsMFMyRk92YnBDZ2hZNURWNDBSeHJ2bEllb05sVTM4TnNsOVFWNkpaeUlsOVBsZnN6UENPb1ZValpUenZLUlNGam5HODhZY2xPaVdCVXZaTVY4dk50d3ZsNVMzdFZGcFFDT0I0YUlZN00rTmh5Rjh5U3ZhUWliMWtBOFYvTFFMbWZudVd5VmhoYzBzT3pBeEJJaktkdkVVbmJiMHA2RStDcllzWVF2YUFndU5YaFVaeFYwWmt0ckd3WTZWRUlHNHlKY3RodU50eFdsVklTWUJRSXB0eDFVUHNHQWdBcTNJRkx1b3pMNUNKcDIzTHc2anZjRCtvdTNqWVMza3ZIeVdRNEJkNGU4em9NeFpBV2ZNVjRTM1c3cFhJUnp0Wjc1QUl2K1ZUUzlLSlI5YUEzSzc4SUlkT2RpRXRjOS9FcTZJNWd2dkcvVVNQOXJ6V1dhLzlweEk5UE16WU5GTFdNVEpreGF1eXVrQ2lyZkY5YVdqbm9BdGdsdElhQ0lUSnhDZC80MUZvLytTLzFVTkttZHBWcXdpVHNFSmFBa1dnRGpxTjdwYlZtRStqc2RVelczMnpVd084VThQZElnZjdNOXRmWm5JaEY4Z2VTYWgrNm1neFcvM21tTytveFBBdWtpUEJyaWsrWDVaY2VKTEZ1SndkY1JWUGE4U3Q5ajJlSUowMHpHekpDNzlDNkltMmpXb0ZlUnVHOXQ2RUE0YllicjNYc2srRUxpdGlMUWkrajlPajQrUmRLdUR2Rm9GSDlwUUlBck9LQWJMSGcrWnV3d1FnY3RkVExHbGd3b25la0xwcFZtelY5RDdzb2dzWXg1K0NldW1ZeVJZTC84Y21WeXFwZnhtd1B6dE52bHpMQlZiNmo4bVM0TDU4UjAvWGJzUXZkSmhzaFJqb3BSODVva2NkSUxtYnQ5WmNkTDdrdVZFQkFpY2ZENUJWank4QStQcXh4ZUhsRFlPS3ZwdVp6eERWbURZYXpxQlA2bHFkYWlDMVRTR1ltVGZweDROWUIyWVp2RnN4anRRUk1RZ0p0Zz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * KfWSiZGbmpPoP
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\iTPlwH0_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bBeecbbBE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1SUzlIRzJBaDRrOEpDMkppQys4ejNVb2N6bjUxSWhzMnJqYXRsdUx5YkhFeHlRYldUS0JmOWxsQ05wYlJVdndSNUVzMC9HSjFiNDZnMEt3TUhmNVVjcyt0V0NCbmR2V1craVVCTmFmSVA5YWJ3eTc4T0xKVWt3R2VxSkw5QUxLT3JkZEI5ZDdKV1Q2Wk9nS3ZwVkljK1dtYnBEMzNYaXp2a0QvUjZ1MTJhZ05JSndEcmhWMW9NOElhUUxmYWFuelAzcWQwcTFIMGo3S1B4VTVTNWUwOTRFbDZ6aEJ0VThBc1Q5Y3ZXNFpZUjRKNStpOHlUOXZJbWxWcEdldzdhNnVIYjV1NHdFeTFBZmxNbDFNY0ZFQlAwVE1OREpXNitJbFk2S3lwbnlYMU5jdUdBbVlxQThuWkVSbnlvOFpJcVZNeWNXVVRQeHZJb05kdlNSdDVsNE40eEtJL3hFYnNuUVhibk11UHVUb3dnSkFFSGwxNVlVUTNOWXlIMUYrckExQ2FBc1RiMCtxMlNmYU42RUZFYXdML2pKZ3A1V2p5RWFOdERRcEtIVDBhVGs2TTYxU2wxSXMzVStUbU9QOURvQzdGNC9NRnNoRXNnblJTcUh3QlVvRVdMWCtYSkw1SHF6bitiMmlIbUdnaVVHd0hGMzhRbjJhTTJMbGU1VG9nbGpCc0g0TG9QUFhoQ1J0VWpUVDhMOEN3RDdmMThCMFpuWGJKTnhkeHNJTURWaldGck9sNkQxYUNUZzRkZzZoMkRmbmhuSWUyRHVjdDhLeDdDYm95TzFnWHNxQ2FNUHBMSlRwOE4rbVlnNllVcFFwKy8yaUR6QzIvL3hQL1Y1TVE3VDIrTHVFeXRaV29NR0FPOWFOTDlQbVZ6ckNNallOVjFPNHR1WWlMaHIwRjJsVGhZdVFoVEtLaWFZZVlOQytYYVE0N2wzdndMUnI3eWdRVDN6TEdSOEJicnB2ME1VclZKbTdOdDNyQXZRUllpbCt4dEJtUFB0VlpNMnpWTlJkellMZ2ZDSjJ3Ky9GbUxaTnQ0d2RvZ01GYUMzQ2p6ZEd5U2lwdUlQVzJIb3ZKUlBJUEYvaHAvRFRVUEJwOXhLOTRkdXJkcU04dGVMdzRsMFMyRk92YnBDZ2hZNURWNDBSeHJ2bEllb05sVTM4TnNsOVFWNkpaeUlsOVBsZnN6UENPb1ZValpUenZLUlNGam5HODhZY2xPaVdCVXZaTVY4dk50d3ZsNVMzdFZGcFFDT0I0YUlZN00rTmh5Rjh5U3ZhUWliMWtBOFYvTFFMbWZudVd5VmhoYzBzT3pBeEJJaktkdkVVbmJiMHA2RStDcllzWVF2YUFndU5YaFVaeFYwWmt0ckd3WTZWRUlHNHlKY3RodU50eFdsVklTWUJRSXB0eDFVUHNHQWdBcTNJRkx1b3pMNUNKcDIzTHc2anZjRCtvdTNqWVMza3ZIeVdRNEJkNGU4em9NeFpBV2ZNVjRTM1c3cFhJUnp0Wjc1QUl2K1ZUUzlLSlI5YUEzSzc4SUlkT2RpRXRjOS9FcTZJNWd2dkcvVVNQOXJ6V1dhLzlweEk5UE16WU5GTFdNVEpreGF1eXVrQ2lyZkY5YVdqbm9BdGdsdElhQ0lUSnhDZC80MUZvLytTLzFVTkttZHBWcXdpVHNFSmFBa1dnRGpxTjdwYlZtRStqc2RVelczMnpVd084VThQZElnZjdNOXRmWm5JaEY4Z2VTYWgrNm1neFcvM21tTytveFBBdWtpUEJyaWsrWDVaY2VKTEZ1SndkY1JWUGE4U3Q5ajJlSUowMHpHekpDNzlDNkltMmpXb0ZlUnVHOXQ2RUE0YllicjNYc2srRUxpdGlMUWkrajlPajQrUmRLdUR2Rm9GSDlwUUlBck9LQWJMSGcrWnV3d1FnY3RkVExHbGd3b25la0xwcFZtelY5RDdzb2dzWXg1K0NldW1ZeVJZTC84Y21WeXFwZnhtd1B6dE52bHpMQlZiNmo4bVM0TDU4UjAvWGJzUXZkSmhzaFJqb3BSODVva2NkSUxtYnQ5WmNkTDdrdVZFQkFpY2ZENUJWank4QStQcXh4ZUhsRFlPS3ZwdVp6eERWbURZYXpxQlA2bHFkYWlDMVRTR1ltVGZweDROWUIyWVp2RnN4anRRUk1RZ0p0Zz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * AH7p3l3PcR7NHntPr
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\iTPlwH0_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bBeecbbBE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1SUzlIRzJBaDRrOEpDMkppQys4ejNVb2N6bjUxSWhzMnJqYXRsdUx5YkhFeHlRYldUS0JmOWxsQ05wYlJVdndSNUVzMC9HSjFiNDZnMEt3TUhmNVVjcyt0V0NCbmR2V1craVVCTmFmSVA5YWJ3eTc4T0xKVWt3R2VxSkw5QUxLT3JkZEI5ZDdKV1Q2Wk9nS3ZwVkljK1dtYnBEMzNYaXp2a0QvUjZ1MTJhZ05JSndEcmhWMW9NOElhUUxmYWFuelAzcWQwcTFIMGo3S1B4VTVTNWUwOTRFbDZ6aEJ0VThBc1Q5Y3ZXNFpZUjRKNStpOHlUOXZJbWxWcEdldzdhNnVIYjV1NHdFeTFBZmxNbDFNY0ZFQlAwVE1OREpXNitJbFk2S3lwbnlYMU5jdUdBbVlxQThuWkVSbnlvOFpJcVZNeWNXVVRQeHZJb05kdlNSdDVsNE40eEtJL3hFYnNuUVhibk11UHVUb3dnSkFFSGwxNVlVUTNOWXlIMUYrckExQ2FBc1RiMCtxMlNmYU42RUZFYXdML2pKZ3A1V2p5RWFOdERRcEtIVDBhVGs2TTYxU2wxSXMzVStUbU9QOURvQzdGNC9NRnNoRXNnblJTcUh3QlVvRVdMWCtYSkw1SHF6bitiMmlIbUdnaVVHd0hGMzhRbjJhTTJMbGU1VG9nbGpCc0g0TG9QUFhoQ1J0VWpUVDhMOEN3RDdmMThCMFpuWGJKTnhkeHNJTURWaldGck9sNkQxYUNUZzRkZzZoMkRmbmhuSWUyRHVjdDhLeDdDYm95TzFnWHNxQ2FNUHBMSlRwOE4rbVlnNllVcFFwKy8yaUR6QzIvL3hQL1Y1TVE3VDIrTHVFeXRaV29NR0FPOWFOTDlQbVZ6ckNNallOVjFPNHR1WWlMaHIwRjJsVGhZdVFoVEtLaWFZZVlOQytYYVE0N2wzdndMUnI3eWdRVDN6TEdSOEJicnB2ME1VclZKbTdOdDNyQXZRUllpbCt4dEJtUFB0VlpNMnpWTlJkellMZ2ZDSjJ3Ky9GbUxaTnQ0d2RvZ01GYUMzQ2p6ZEd5U2lwdUlQVzJIb3ZKUlBJUEYvaHAvRFRVUEJwOXhLOTRkdXJkcU04dGVMdzRsMFMyRk92YnBDZ2hZNURWNDBSeHJ2bEllb05sVTM4TnNsOVFWNkpaeUlsOVBsZnN6UENPb1ZValpUenZLUlNGam5HODhZY2xPaVdCVXZaTVY4dk50d3ZsNVMzdFZGcFFDT0I0YUlZN00rTmh5Rjh5U3ZhUWliMWtBOFYvTFFMbWZudVd5VmhoYzBzT3pBeEJJaktkdkVVbmJiMHA2RStDcllzWVF2YUFndU5YaFVaeFYwWmt0ckd3WTZWRUlHNHlKY3RodU50eFdsVklTWUJRSXB0eDFVUHNHQWdBcTNJRkx1b3pMNUNKcDIzTHc2anZjRCtvdTNqWVMza3ZIeVdRNEJkNGU4em9NeFpBV2ZNVjRTM1c3cFhJUnp0Wjc1QUl2K1ZUUzlLSlI5YUEzSzc4SUlkT2RpRXRjOS9FcTZJNWd2dkcvVVNQOXJ6V1dhLzlweEk5UE16WU5GTFdNVEpreGF1eXVrQ2lyZkY5YVdqbm9BdGdsdElhQ0lUSnhDZC80MUZvLytTLzFVTkttZHBWcXdpVHNFSmFBa1dnRGpxTjdwYlZtRStqc2RVelczMnpVd084VThQZElnZjdNOXRmWm5JaEY4Z2VTYWgrNm1neFcvM21tTytveFBBdWtpUEJyaWsrWDVaY2VKTEZ1SndkY1JWUGE4U3Q5ajJlSUowMHpHekpDNzlDNkltMmpXb0ZlUnVHOXQ2RUE0YllicjNYc2srRUxpdGlMUWkrajlPajQrUmRLdUR2Rm9GSDlwUUlBck9LQWJMSGcrWnV3d1FnY3RkVExHbGd3b25la0xwcFZtelY5RDdzb2dzWXg1K0NldW1ZeVJZTC84Y21WeXFwZnhtd1B6dE52bHpMQlZiNmo4bVM0TDU4UjAvWGJzUXZkSmhzaFJqb3BSODVva2NkSUxtYnQ5WmNkTDdrdVZFQkFpY2ZENUJWank4QStQcXh4ZUhsRFlPS3ZwdVp6eERWbURZYXpxQlA2bHFkYWlDMVRTR1ltVGZweDROWUIyWVp2RnN4anRRUk1RZ0p0Zz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * XQFBOxqjR4pwdE1R25p6
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Pictures\iTPlwH0_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bBeecbbBE You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTk0Ni1SUzlIRzJBaDRrOEpDMkppQys4ejNVb2N6bjUxSWhzMnJqYXRsdUx5YkhFeHlRYldUS0JmOWxsQ05wYlJVdndSNUVzMC9HSjFiNDZnMEt3TUhmNVVjcyt0V0NCbmR2V1craVVCTmFmSVA5YWJ3eTc4T0xKVWt3R2VxSkw5QUxLT3JkZEI5ZDdKV1Q2Wk9nS3ZwVkljK1dtYnBEMzNYaXp2a0QvUjZ1MTJhZ05JSndEcmhWMW9NOElhUUxmYWFuelAzcWQwcTFIMGo3S1B4VTVTNWUwOTRFbDZ6aEJ0VThBc1Q5Y3ZXNFpZUjRKNStpOHlUOXZJbWxWcEdldzdhNnVIYjV1NHdFeTFBZmxNbDFNY0ZFQlAwVE1OREpXNitJbFk2S3lwbnlYMU5jdUdBbVlxQThuWkVSbnlvOFpJcVZNeWNXVVRQeHZJb05kdlNSdDVsNE40eEtJL3hFYnNuUVhibk11UHVUb3dnSkFFSGwxNVlVUTNOWXlIMUYrckExQ2FBc1RiMCtxMlNmYU42RUZFYXdML2pKZ3A1V2p5RWFOdERRcEtIVDBhVGs2TTYxU2wxSXMzVStUbU9QOURvQzdGNC9NRnNoRXNnblJTcUh3QlVvRVdMWCtYSkw1SHF6bitiMmlIbUdnaVVHd0hGMzhRbjJhTTJMbGU1VG9nbGpCc0g0TG9QUFhoQ1J0VWpUVDhMOEN3RDdmMThCMFpuWGJKTnhkeHNJTURWaldGck9sNkQxYUNUZzRkZzZoMkRmbmhuSWUyRHVjdDhLeDdDYm95TzFnWHNxQ2FNUHBMSlRwOE4rbVlnNllVcFFwKy8yaUR6QzIvL3hQL1Y1TVE3VDIrTHVFeXRaV29NR0FPOWFOTDlQbVZ6ckNNallOVjFPNHR1WWlMaHIwRjJsVGhZdVFoVEtLaWFZZVlOQytYYVE0N2wzdndMUnI3eWdRVDN6TEdSOEJicnB2ME1VclZKbTdOdDNyQXZRUllpbCt4dEJtUFB0VlpNMnpWTlJkellMZ2ZDSjJ3Ky9GbUxaTnQ0d2RvZ01GYUMzQ2p6ZEd5U2lwdUlQVzJIb3ZKUlBJUEYvaHAvRFRVUEJwOXhLOTRkdXJkcU04dGVMdzRsMFMyRk92YnBDZ2hZNURWNDBSeHJ2bEllb05sVTM4TnNsOVFWNkpaeUlsOVBsZnN6UENPb1ZValpUenZLUlNGam5HODhZY2xPaVdCVXZaTVY4dk50d3ZsNVMzdFZGcFFDT0I0YUlZN00rTmh5Rjh5U3ZhUWliMWtBOFYvTFFMbWZudVd5VmhoYzBzT3pBeEJJaktkdkVVbmJiMHA2RStDcllzWVF2YUFndU5YaFVaeFYwWmt0ckd3WTZWRUlHNHlKY3RodU50eFdsVklTWUJRSXB0eDFVUHNHQWdBcTNJRkx1b3pMNUNKcDIzTHc2anZjRCtvdTNqWVMza3ZIeVdRNEJkNGU4em9NeFpBV2ZNVjRTM1c3cFhJUnp0Wjc1QUl2K1ZUUzlLSlI5YUEzSzc4SUlkT2RpRXRjOS9FcTZJNWd2dkcvVVNQOXJ6V1dhLzlweEk5UE16WU5GTFdNVEpreGF1eXVrQ2lyZkY5YVdqbm9BdGdsdElhQ0lUSnhDZC80MUZvLytTLzFVTkttZHBWcXdpVHNFSmFBa1dnRGpxTjdwYlZtRStqc2RVelczMnpVd084VThQZElnZjdNOXRmWm5JaEY4Z2VTYWgrNm1neFcvM21tTytveFBBdWtpUEJyaWsrWDVaY2VKTEZ1SndkY1JWUGE4U3Q5ajJlSUowMHpHekpDNzlDNkltMmpXb0ZlUnVHOXQ2RUE0YllicjNYc2srRUxpdGlMUWkrajlPajQrUmRLdUR2Rm9GSDlwUUlBck9LQWJMSGcrWnV3d1FnY3RkVExHbGd3b25la0xwcFZtelY5RDdzb2dzWXg1K0NldW1ZeVJZTC84Y21WeXFwZnhtd1B6dE52bHpMQlZiNmo4bVM0TDU4UjAvWGJzUXZkSmhzaFJqb3BSODVva2NkSUxtYnQ5WmNkTDdrdVZFQkFpY2ZENUJWank4QStQcXh4ZUhsRFlPS3ZwdVp6eERWbURZYXpxQlA2bHFkYWlDMVRTR1ltVGZweDROWUIyWVp2RnN4anRRUk1RZ0p0Zz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * t2q2jAcWngX1WefThbkEVOL
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • Avaddon payload 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (178) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
    "C:\Users\Admin\AppData\Local\Temp\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3352
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
        PID:4948
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic SHADOWCOPY DELETE /nointeractive
        2⤵
          PID:4424
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:2600
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:4068
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:1628
        • C:\Windows\system32\wbem\wmic.exe
          wmic SHADOWCOPY DELETE /nointeractive
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of AdjustPrivilegeToken
          PID:1736
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
            PID:1560
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:4064
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
              1⤵
              • Executes dropped EXE
              PID:4380

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675.exe
              Filesize

              775KB

              MD5

              c19084114c85192dacfed89a92da6837

              SHA1

              a1d6461e833813ccfb77a6929de43ab5383dbb98

              SHA256

              46a8c1e768f632d69d06bfbd93932d102965c9e3f7c37d4a92e30aaeca905675

              SHA512

              cbcc47dfd2f1e1a15b93ff2df067ebce74a3623b5b5fa1162b9076d25175ea0f3f687c24b5051e7de753697b2a860595cf15351168f999e447ee5d0bc70cc11e

              Download Submit

            • C:\Users\Admin\Desktop\iTPlwH0_readme_.txt
              Filesize

              3KB

              MD5

              480e0fc2c6efe89a40f3efee910ee6a7

              SHA1

              9bc6e1cb8066708ba1a5402f18caaf7ae5b89497

              SHA256

              26cd2abc918286a95c7e78de2aa5fd9994e5c6d5aa534906efb61af3a5e6b9bb

              SHA512

              7022536a31d92c6db3332ce3ef16bf6d490896f2c31a2193641e5206be25550ca1e573774e8d6bbbc0d53b67d9b88967e4daec439331b2128555c0466902f978

              Download Submit

            • C:\Users\Admin\Documents\iTPlwH0_readme_.txt
              Filesize

              3KB

              MD5

              d44a8290e046c9aac4bcc403a497f609

              SHA1

              76ff9a4d2c091a4162393cf60ddb33638811d674

              SHA256

              776a2d1112fd3d474a419e5ac332d2e99b062b3f99bc1b896326d3784923065d

              SHA512

              b1048c9a4c3a604a9acc1e24c5aed69692286539c05a51626af40c1808114a9515b18ef49536c80eb31918e28b382ed9196a2e561282cbe0221c9a39c8bc1ae6

              Download Submit

            • C:\Users\Admin\Downloads\iTPlwH0_readme_.txt
              Filesize

              3KB

              MD5

              ae16baea3079eaadb868ec8bd49144be

              SHA1

              a5f26950529da7273318575650c3cc9f4ff37eb5

              SHA256

              c3f9834e9031b317a0aa721c378313231a1f2439eb8df3c06bc7e4c4fdcb84ae

              SHA512

              21d786abce1f8683bedee7b452f9eb7f583ed361c5f02135205230d63b5c75393a2d1f8aedf747add928e9a2e1479e08a78778995bd6fcb7a7d83bf50a54fa9d

              Download Submit

            • C:\Users\Admin\Downloads\iTPlwH0_readme_.txt
              Filesize

              3KB

              MD5

              c546a6482f251d9be29d12a435c8bcb1

              SHA1

              ace1c0012261d6f940e929b117edd9f91d96d8fe

              SHA256

              81491da8b4b101b385cac64189175a4a40fa2d5b210b45b884083fcdbee41014

              SHA512

              910c0f423a6e4350e33136f22c91db4f4f6014b6dfbce8a2ae9ffd3ba529ebb986ba31e7e3da8043c7d444752f36109917818bb5760feb2b87c5f2587c3c5baf

              Download Submit

            • C:\Users\Admin\Pictures\iTPlwH0_readme_.txt
              Filesize

              3KB

              MD5

              661eb361959934f59d13dea7d3617d0d

              SHA1

              5f384cd2f251db8c619f5afae67591d59774d2fa

              SHA256

              235dd6280afdd7b68a762b0e6c0e07188b6f5b5edaee01cb8390678d8c719480

              SHA512

              c7ecb43a7ef0a771e8ad03f6f030e3d822fe224823e41923783ea2d50280cd1ca2979b7de3a6ed015309a6a5b0cf2495f55ac83e0b13952cc0b7f5b382205bd3

              Download Submit

            • C:\Users\Admin\Pictures\iTPlwH0_readme_.txt
              Filesize

              3KB

              MD5

              4827205a39eb0ba16af98a5daa52e557

              SHA1

              cda1b9277e306689b8cfd226fad89f0b514329bc

              SHA256

              195c010cff1338530fc2ab860fe9965a7651809cbd7d61b0094fbd2f13dcfc5a

              SHA512

              30f370def7cc93aae616c4323cb3a750604700e880e2683fa0a62fdf6bfd57e057c64638a866d155b115e30643a59e4cc4d6f9d2dca4190ff4cb7a18e0b9bdbc

              Download Submit