avaddon | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
842s
max time network
856s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Size

1.0MB
MD5

c9ec0d9ff44f445ce5614cc87398b38d
SHA1

591ffe54bac2c50af61737a28749ff8435168182
SHA256

05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2
SHA512

c340baeb66fc46830b6b77b2583033ade6e10b3de04d82ece7e241107afe741442585bf2ea9d6496af93143c37e9676d4f1e1d301d55632b88b12daadadd43f0
SSDEEP

24576:Cs6JmdFn5KLOCgHWcAvcrOcEsKfR9uA7rmFbbbbpccf:Cs6JY5KLOCyWcDUfRAA3mFbbbbpc4

Score

10^/10

avaddon defense_evasion evasion execution impact persistence ransomware trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\246862-readme.html

Family

avaddon

Ransom Note

<!DOCTYPE html> <html> <head> <title>Avaddon</title> <style> *, :after, :before { box-sizing: border-box; } html, body { margin: 0; background: #f1f2f3; font-family: sans-serif; line-height: 1.5; color: #333; } h1 { margin: 0; font-size: 2rem; } h2 { margin: 0; font-size: 1.4rem; } h3 { margin: 0; font-size: 1.2rem; } li, p { margin-top: 0; margin-bottom: .7rem; font-size: 1.1rem; letter-spacing: .02rem; } .logo { display: flex; justify-content: center; padding: 1.3rem 0; } .title { background-color: #dc3545; padding: .5rem 0; } .title h1 { text-align: center; } .title h1 span{ color: #fff; } .description, .attention { width: 900px; max-width: 100%; margin: auto; padding: 1.3rem 0; } .copy-btn { opacity: .3; cursor: pointer; } .copy-btn svg { width: 18px; } .copy-btn:hover { opacity: 1; } .link { cursor: pointer; } .link:hover { text-shadow: 0 0 3px #828282; } .identity-head { display: flex; justify-content: space-between; } .identity { word-break: break-all; background-color: #e3f5eb; padding: 1rem; font-size: 1.1rem; font-family: monospace; margin-bottom: 1.3rem; } .attention p { text-transform: uppercase; color: #dc3545; text-align: center; } </style> </head> <body> <div class="logo"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="83" viewBox="0 0 200 83"> <image width="200" height="83" xlink:href="data:img/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQ0AAABwCAYAAAAE2SWjAAAgAElEQVR4nOxdBZhUZff/3Xunc2u2g24URFEwADEQsBAxUBTEFsxPvxBU7PxEFLARG0TsQBRbFCSkc4vtrskb/+e8987uzM7MssCi/D/3PM88U7fve8974nd+R0Cn/B2kFwA9gMbOu90pndIp+5PrAYgAlnZeqU7plE5pS04FsAaAor1IcTg7r1indEqntJYkAC+FKIvQ15zOq9UpndIpoXILgIpQRTG8W7fAcQMHitp3imlYO69Yp3RKp5Arsi5UWfCAOHvqVK8SCPhXr1ghhvz36N/+anVKp/yNJTWKKyJfeN55gT1lZX5FUSRFUZSmigoxXqcLKg6PlknplE7plL+Z3AigNlRh9O7ZU/xkxQqPUlrqVn76yae0iPzgjBn+kGVv7hwsndIpfx/pD+CX1kHOa++6yxfIz29Unn/eV56eLu4GxIb580lxyKQ6GsvKAno1g0LLl3aOl07plL+H3AFAClUWJ4wYEfhh9eom5eefm7zHHhvIBZTCuDhln9Op5PO8KObmBjR7Q54xaVKotTGxc8x0Sqf878qZANaHKovELl2kBa+/7lG2bWtS7rzTVwQo+Xq9Uty1q1KUlcXe8wCl7IwzKLYhktYo2b49EKJ0tnaOl07plP89OQfAJ6HKwuFySU+/+aan+O233cpjj/nqsrMlsi6KMjOVopwcpjCaX5mZSi4gN739drO1cf2ECaHWxrmdY6ZTDlS4zit2RIoFwAsAJjcfnNWKSZdc4nt80iQxe88ewf/QQ8aSwkJOSEyEYLdDkaTI8+B5iIWFMPTrJ6Vu2kS/CPX79onOrCye/gWQB6Dr3/pKd8oBS2fB2pEnlwBYDuDk4JH11uvFl0eNCtx9wgmKc/58Y/7ChQav0cjpkpOh0+lgUhRYOY5FOcXQmUBRwDud8O3axelSU0XDscfyRoeDy/v1V2nj7t107+MAvKZlYTqlU9olnZbGkSMDADwCYFzwiHhAnhUfL93hdMLGcUJZbi4fsNlgTUqCQZZpEcUNyHWKIhfJsmLjOC6H4/T+0FPiOMg1NWSJSBl798p8Sop+77p1ge5DhgiatTEbwP1/26veKQcsnUrjrxedVhPyr9AjOctsDjyemIj+RqMgiiLfIEkw8Tz8gFStKHK5oijlioIKReGqFYWrkmVM0OvRl+d19YoSdlKcTgdfbi5s55wTSPrwQ9qfctaQIfIX69bR53rN4lCOqKvSKUesdLonf60MB7AyNCBp53n50fh4cZ7LJSTrdLqmQAB1gFwNSHmAvEVRlE2KIuQDfA2g43heCHAc7+I4ZRjP8wGAk1ufkixDsNngWbuWNw4aJOr79NH17tJFfvGNN2jSMAHYp8HQO6VT9iudlsZfI4kA7tYKzJjEcZxyld0u3R0fr8SZTHxAFLFXFAPlisKVKArKJYmvVRROVBSeUxTRK8v6gKJIoqKIZGlMt1j4EwRBXyHL0W8qz0MqLQUfFydmFBZy0Ov5oV26iGvy8wlSXgAg53/7kndKR0mn0vhzhcrW7wVwWZDbggeUcQ6H/xKbjR+k13v3SJKw1ucT9oqiXBAIoFKSDB5ZJmXB+WVZ9igKvLIs+RQlWD+inGE2i5+npOhqZJn3KbG9DE4Q4M/Lg33SpEDCu+/q1v30kzzkpJN4bRxMB/Dy/9wV75QOl06l8efJdQAe0KyMZhEAZajFInoVRbfF75f9kqRobmP77g3HYWV6ujTaYBD2iSKLbLa1LAIB+EpKlK6rV4s4/nhdttOpFNbX02p1AK4BUAigWHsF/r9c3E7586RTaRx+yQQwH8DZh2NPF8fFiYsTEviGQID3tmcFDbthHjBAdG3ciP/cdRf/0GOPRdM1JRqOg5RIPoC9mhuzG0Bup0L5+0qn0ji8cotmXRwW4hurIMgfpqeLowTBUCJJ7b6ZHMfBW1CgdF21Sqw95RTEC0Iw/dpeCSqUvZoC2am979BIgDrlf1g6lUbHCz2A4wHMAjDkcO7oioQE/+NOJ2+SJJZmbffN5DhIxcWw9O0rJf7xhzzt0kv5V99+OyyTZtDr4A+IB3pIZOzs0RTKLk2J7NGUSv6BbqxTjkzpVBqHLoRx6A5gMICRAE4BkNWerRp0AjIyM5GV3QUZmRlISk7Bsccei+3bd+LhB+5rc900g0FemJIijuJ5fZMsR6ZZ9yeiCH9JidKlqUkp8HjknKQkPtTauO6GGXj8sUew6Y8N+O77H7Fnz27s3b0Lu3fvRkHhvoO5aEFlsl37vFtTLHmasumU/yfSqTTaFk7LeNg15WDXYhT9tZqNXprCaBfL9+mnn4ZTR42CyR6Hnj17Ijk5GWarHa6UVNjtFtQ1epHmMGHDpu0YfFTftjal3JiUJN5ks/HZsizUHIiVERSeRyA/H65bbxUtTz2Fc0eMwEfff68L/p2SloHbbr8Dd95+S9hqNQ1u7Nm9EwV5edi+fTtTJvl5eaivr0d9XR1qqqtRUVl5IEixci1WUhoSgN2nvddovKYNAJo0uPsBmz+d0rHyd1caFGtIC3llaEohVVMG9FuyBoA6ZLn+hpsw/7l5bDNucv4r6tDQUI+A34fa2jpYrBYcP7Avln24EhPPOz3m7k622eR/JCRIxwM6nlKxB3lgiscDsbpaymlqQkljI9JdLq51bKNv/4HM2hB4HgXltUhJjoMxyrYaAgr8Xg8CPh/qa2uwY/s2rF2zBl+v/Ao//fxzR1w+skaqtXhKgaZUSrRAbZn2uQhAVUfsrFNiy99BaZAS6AKgm2Yd0PdsmkwBpANwtbWy2WRCcrIL3br3QJLLhYysbBw7ZAhkhcOVUy6DLB3YxHfSKaPw8ccfIq+4nM3OPM+hqakJdmc8Tji6H3bs3ofx48/B3p3ro65v4Xn59uRk5SyDAYMAofpgrIygaLiN1EcfFU133sldcPLJyvs//qhrvdiECy7EsveWYG9xOYt16HR6cLwAncBDlCT4/QHwggCr1QqnkY84nt9++w133XUXvv3227DfMzIyMW3aVGzevAnr1q3Hvn37IEWr1m2/uDUrpVJTIEWaBVOgvUq0QG3Doezk7y7/K0ojJcRd6BaiJDK1+ELEg9BaDAY9Bh51NHp074Gcbt2Qk9MVNrsN3Xv1Rk52DuxOJ8SACKfN2LyxIccej3W//3bAB/v4U//FtTfdjF9X/wqvzwOHw4lBgwbBYeBx7gVT8NH7r8dcd5jFIs9ITJSPBfhkjuOb2gBztUcIJarv1y+QumEDv2XDBgwYPDjC2iBZuepbjB45Alv35MNgMIDnefh8Pnh8XgicAKPRALvNBpPZzEaVThBgMeig51uG2AMPPIBZs2Y1f+/arQdWfPU1enTLZt+Lioqwa9cubNu2DTt37sTGjRtZDIWUiXKI5xkiNZqVUqq98rW4SpmmcIKKpdMNiiH7fZiOEDGFWAbdNeWQoX0OuhQRLoTDbkNycgr69euHmro6/PD99zHP5tmFL+LqqVewzw0SUF1VC8pEWm02NDQ0YOeuPUyxVBgNEAQdemam4Jghxx6U0thXuA8+fwA6vR4WgUd2dg5TGCSbN21oa1XlGIsFiRzHpwJcQwc8SEJSEgIbNwry9u1y/0GDhJP69JF+3L49QmnMuWc2Rn/3Hax2ByCJ8Hi97EUPM6dT07iBgB9+vx8cz8NqtUAvCBB4rlkD3X333SC7aPasu9n33L270bN7Dha+8AquvXoqMjIy2GvkyJEtJ6woTGns2bMHhYWFyM3NxY4dO5rfq6urD/SU47VX/xj/B7Q4S2kITqU45L1Ie/cc6I7/V+RIUhouLfMQr8USsjWFEFQWya1nQJrtkpKS0K1rF6SmZ6B3797IzMxE127d4EpORWp6Omx2JxJsqj7p0q078nP3Rt358wsWIM4ZjwkTzsGGdevh8/nRtWtXVFdVoramBnqDATqdAEmSkZ4cx9YxmOwHfJIOhx0XXnopexAMRgPinU44nGoc9cfVm7B3V2wWvmEWi3K0ySQnKAoncByvdISpqNcT/x/fuHSp5Jg1i7v/wQeVURdcELHp77//Hrtzc9G9a1ds31vAFAaJ0WCA0Whk7zLxd/AcTCYTc2HkKAc36+7/4KuvvsIP33/X/Nt110yD02nHxZMiaUtJGWVlZbFXa3G73diyZQs7tmXLluGXX3451KsBrb1DhvaKlTKv0KySMs3t2ae9F2mZoXItcPs/KUeSe3IagK/au3BWVjZ+X7cerqQEKheHIcoyZF/6JMDr8yPRYsCV067Ba6++2OZ2L5syFf+d9yz25OZDkgJsJjMZTbA77BB0OqaUUp1W7MqrwOhRI1GYd2BUm9ffcAOeeu45bPxjK5wOO5yOOCQm2NnxT7r0Wix9+4VYqyp3JycrA41G7hSOUwRF4TsKkskQomedFXB99hnDavRKSpJ3VVVFTCgPPvQQ/v2vf2H1xq3Q6wQY9HqmIEhhKBwHu80Km9moDiqOg46LPsB278lFzx7dIn6vqqpGQkL8QZ/H0qVLMX36dBYr+oulOiRQm6spld2aKxR0jf7fppmPJKVB0zf5DwPbszAN1muvuxGPP/EYRI5HQ6ObDViPzwevLwBJlCArMrNGAgER3TOScf+Dj2H23Xftd9u/rduItOwu2PzHRrYfm8PBrAyr2Yqe2WnYk1eME4aNQGXp7gM6QYvFglU//4qU9Exwiswo+gxmK9LiLNiysxAD+vYC5OhjabzdLo5zOvlUReHOEASutuN8fCiNjRQUFdM2bVL41FT9Z4sXB8ZdcYWu9fjo0iUH23buRmF5NXzuJnZtSHGQy+Fw2BBviZZXiS4TJ12MZUvfDftv7Ljx+PSTjw/pXIqLizFlyhR8/fXXh7SdwyzlrSyTIi04W6UpnFzNHTpg+M2fIQcCHT7cUnsgTXy8Xi/mPv0kZtx0I8zsLDiUVVSirKwC1VVVqK2tgbupEY0NDSxwB/bQmtu17dU//wi73Q6L1coCoLS+xWhiKVGSNb+tOWCFQTL9mmsx9OgBDNRFDxuZ806r6jrdP+ehmArDJQjyOQ4H55ZlLpvjpI4eSZzNBrGykvf+8APTRGOnTOH75+REpDHy8vLx0Ucfo2dGcrOFQeeg0wtMYXz62Ze4+fb/YNnyz1FU2nbm8/45kWRhn336CTZt3nxI55Keno6VK1ei/8CjDnobhJ85auAA9OrZAzaL5ZCOJ9YuAByr8ajcBuBJjRN2GYBVWiyFrBLSfPO0xlgjyLs9HAdzoHIkKQ1oF+ziAwky7dm1i70rsgyPxwNZVq0Lo8nI4hD0wAuCepqJrjazq82ybcsW2AwcLDY7szDMmt+u16nV6Dk5mQd8YjzH4eobZzCXiSwOZkLzOlj0PEoqGvDekjdirnu2w6EIPC/YAbkLzwuHmjGJEI4jMBYf2LSJ0xi8hPPGj49qhX6wfBl71+sNahCU42AyqhZGQJTwzFMPYeKEsejdqxf+PSs2qrVvn5446uhjIn5fuGBBh5zSe+8tO6Dl6f7OuvtubNq4EaUlJdj4xyasXr8J67dsx2dffIFbb7kZaakUXvvTJFPr0XsTxekBfKspkmf+xGOIKkea0iAhm/Wf7V14/HkT2LskiSxISYNYr9cxMJLA8TCZjPB6vMzOy87Obtc2d+/ehYBCBOBmZmHQgKKgpV6vlmf07tMbzvj2KaCgTJ4yBQN6dIVXBBrq69mxJieqE8e8eQshBRqjrpep18snWyxciSiiB88TTTnX4blACmBSbGPHDiVoEl81fboSzTxet0bNFtkcdvACx65vUJmee85YZGR1YZ+bGqrx8AP3YsnS92Lu9sqpUyN+e/vtdzqEd7BPrx4457wL2rUsoXMpzTvn/vsx4Kij4FF4NEpAvNWEHl2ycNaZZ+Kp/z6NvXn5ePSRR2JuhwLxI045hU0KByrx8fHQ6/fbYpdc+Bl0mQ54Bx0oRypOI0Erdkpqa6GcnGzk5uXDLSkoLS1nrgiZzWRZ8BzPHnZSJtU1dcjKzkJNZSWO7t8P7qa2A2XdunXDL+s3QeF4+N1u6PQ6GA2UV+SRoLkTg4ecgA3rfm33CW3ZsQv9evVAZYMXFRXlcMTFISPBAbdPQUZGNmqrotZzKDcS8tNq1ZWLojRRr4ddUYTDEUGTyspgGDhQTFmzhiwPimfIE046SVr+008RI3l3bh66d8lBWW0DTAYTDEYdzII6lG6YcQsWPDu3edkhxx7LkKHRpLS8ElkZGRDFcEzrlytW4IzToyNiKT5Fk0IsCSocOprf1q7H8cdFWjOhkpCQgL1798LpdDINWVpdD7/Px6zLDRs2o3+/XshMc2FHYSm6Z6WydONPP/2Iiy66mOFKQmXkqaOx6uuV7BcCtNF2d+7YgZ27dmHr1q3YtGkTRDG6yn/r7bcxauRIprxoPUopb926BQX5Bdibm4uamprWq3yjkVB31u1oYtUizkpbr0Wvv8E6AO0uLle25+5T8suqlF0FxcqewlKlsLxKKSitVDZs26Ws3riF/dfgDSgDjhrc5jbpFedwKIWlFQq1JiuraVAq65uUqga3UtXgae6ofPa5F+x3O8HXWWPOYuvU+yUlr6RS2VlQovhE1mJVeWbhmzHX62EwSK9nZopz0tKUZRkZgabsbDmsGVIHvvYlJCj7UlICUmGhP3iOf3z7baB1G0h63X///ez/Wk9AcUuy2ppek69X/RBxHtU1NUosGXLs0IjlL7l0cszla2rrlNPHnKdMveom5ZVF7yiN7ubDZU1r6RWQW5bv1ad/m/dmzn33seWoBV1pbYOyI7+YfX/syfns//jEFOXTz79kv1XUNzVvt66uThk5alTE9gYdc5xSVlkd9dgLCwuVrOycqMcxY8bMmOfc2Nio3HzLrdHW276/ifVwyJHonkBDc6a3tUCXnGxccdlkVDV54PP60LVLBrKTE2CzWaE36CBLEmpqa+Hx+qATdGhobILVqEP3bt33u/O6+nr4vW6WsDcY9er9Id/dZIBPm8q6d9//doJy9gTVhWps9ECURLjinTBoM/P8Z5+Oud65DofCcZxAz0IPnufoKA4XZThvtUIsKxP861vg6wNHjOBP7tMnwkV55ZVX2LvDpIMpBLxFcurIk5CWEY6p+OTj2BmRESNGRPy2/P1l8PmjV9TEOR1Y/fMqvPrys5h25cUMuLdt+072H11RUWl5okiuuuqqNs/7fO3e1DR6UVZazoK6JN+tUi2GmqoyjDvrTBQUFCLJbmn21xwOB1Z98w0mTrwwbHsb1q1B1y45qK5RW8mIITeM0vXfffstg9y3lsWLFzX/0ugXEZCV5nMgeP7T/30KKSkRMZXeAD5t8wQPgxypSuOU/blO819UB25pWSW6Z6Vjw+/r8cILLyEl3sECcuSSEAAp6CfW1tbCLcno3qvXfnfO2qoXae4CJ7A6C7PRwEzLimrVtTnqqPZF5zMz0nH55MnwSpSYlBnU2mlTszjf/bwO2zdHN92HWyzSULOZ2xsIoDvPK104jm84lDqTWMKrQ8BfWAjebBY5hyNUSfALX3wxIrZBpvOXX65gxxLteG644aaw74SfiCXXXnddxD+UGWsrIPqvf93d/LkgbzfGjh3T/J0YDekVfFhvuP46BvCLJoMHDcKAAQPgERVUVFRAFAPgOfWBPmbI0WFrTLpoknpBWl2MpUuX4L775oQt625swOkh7lVtk4/df3JMunbtgt9+jUQR19XV4/GnVLfOZtBBVDg0+iX45Ratc+mUa6OdxlA63JgX6zDIkao0prX15/Bhw3DW6aNRVN3A6kOMOh4PPvgk5s6dywZxY2MTAoEA6z5GA8jv96GGpWEbMGBAu2Ag2KK2MWTxEbPRyAqzamrq4POoiZ2cLl3atZ2Zt9wOm8UMt19igCin3dr8oM1/LjaQaxTN/AAvAkpPQSCrhzukUq4oQkTDhNHwFxYq5jFjfOnbtyvGESPCcHL9TjpJOH3QoIhdz5s3L+Z2p2pw/KD8+mvs2E+vHt1w8imnRvz+cRvWyYQLJoR9z8vNxR9//ME+s4Cu3KLMbFYzLpx0UdTtnKJZOSUV1fB5vbBZ1XtDj+no088IP4fVq7Frt5pm5xBuzcyePQvXXBuu/Nb9vhYfffwxA7gRp5okK/AGZGapDhlyTNQAMdEQXD71WuzcnQezABZ4N2i1O4vf/hgfLl8e65JcEeuPwyFHotI4d3+a854HHmbvjY0NyHTFM9TnR8vfg6epFl5JnW70RjUlSIEz4nlocrspL8tmlvbIpi1b2FKUEg0qDLI0KJ1LgyUtIwN6Q9u4D6q/uPraa9nyZgPPalk8fhXHmbuvCsuWvhl1vR4Gg9LDaOSIKDiV4+QcjuMaO9jKoAZKUmUlxKoqKX72bF/y558LQna2IYrxwN93//1cyDPC5NNPP2XWWzTJSEvBKSNHN/9TXl6OH374IeaxRMuiULFaLOndsxsGtkrX0vFAswLI89OFnMWkSZOibik9Q02d+30elvEwmy3wej0orW3EkGMGIzExPFzw2mvUwVK9QJRd88otFs3zCxegf6sJ6Z7Z97D3OKsBkiwzwKGirXvhxAtw+x3/iDimNxa9gH79+mL16l9h4lqsmiceexB7d2+KdUkujPXH4ZAjUWnc09afJ514Is44dQRK6hphtVgZt95zCxYTYJxVXVIcg/xNSiPSQ058FQ2NDSw6bjCakJySDGf8/mNHRDADbYDU1zcwy4UeeirKqmrysZqX4KCLJTfcOANxdisbWLKkMPo8UVJH2cIFL8ZMsxIuw8hxPFH4dRMEYvjhD5YzI5qQwhALCiA1NkrJS5eKzvvuM0SpQwoELfFh48dzg7KzW1kbCt58662Y+2itCBYuXBhz2UkXToDJHE6jWllZic8+/zzmOpS9CJXl76uzMJ2EvpXaO3H4CawEoLUYTWomzGI2M6yJ2+NmLi2l6AldPP7sc8LWeOP1lupjshxkeoVo02effS5s+Q0b1mPz5i1sjJKXQZaDFJBQ7/bBJwNPPP4Yhg49PuK4pIAXl16inl/wvk+9cnLEciGSpjXe+lPkSFMal2q0eTHlsmlqYKuhvhEZSU40eWTcf6/q41ZU1qCqopxVppLCoBRsXW0trBYbUpJTGKMUAbYoL78/2bZ1KxsMEgMtiRocPQB/IMD8X6PJgpz94D5u1WYSGsO19Q1ocnuQYDWgrimAF55/Luo6/YxGaYjJhDJRJPif3I3j4Ouo3DjHqb1PcnMJhy+mfPGFZJ440aiNAzYJitu3+xpfeslXOmKE5H7tNTEI9ppzzz1Ka2vjpRdj1/FcOJEUQQteYcmSpXC7o2P2bFYLzp8Qialoa/uXXBKuNNasXdPsPrQWqokZPvykiN/9PjVbSQBAt8fDFIbVbIHTrhYiXnzJpWHL5+fnY01z+phjFbzQapzowowccTKOG3pC2Dpz56qBbpNBB0VW4PF4IQb8THGA4VKiQy5y8/JQWFTcTHh05ZVXQqdvE6Z/aVt/dqQcSUqD1xogxxTiaDh7/Nlo8ktw2m3sQXrk8XmorSpkq9DDXVFexrIcVM5O5rPBaERSkgs+v5fVJcQ5zBFmZDTZV1SE3PwCNnMRUCwgBuALBOD1+lBWWkb8NejRRlB18mWXI82ltjhp9HhRT3B2o5Gd5OLX342JyzhHy5gQuU4WzyupHMe7OwIBSvELjwe+vDyYzzgjkNXYqJjOPJPKdgO+b77x1d9zj7/81FPlsmHD+KqrrzZ4v//eVDl9uiDl5zN/6uxp07hMmy3M2tiwYQMrWY8mFMc597yW2AMFGd95952Yhzd1WmQY68MPP0RjU/Ri0W5dsnD88JPDflv5Vex6x4kXRsY1aqpVqHtDU1OzwqCCOatVfTjPPGM0El3hGYtg5oiSLBrQmLpeMqwQyQutFN0bb7zJLBITD5bJE2UJHK8W8zUFFHTr1hXPvxA9tvXN1yvZGK92+xHvtOPcc8+LeX50im392ZFyJCmNR/ZHyPvv2fcgPTkJpdV1SImzobisFo8+fG/YMjQbkEYnhUGEMCkpqSzNSd+JB4NyKf37x6JSCJcdO7azm0bWBfFfULl8fX0dM2MNeh69evWOue6cOWpEnVJnZRVVrFQ8NcEOvww8/d8noq4z1GyWjzKZ+ApRJGXFAqBCtN6sByGK2w3ebhcd06d74p95Rgr8/jvq7rxTLD3mGKVs9GihZs4co3fVKiMdqD4rizN27QpFFIWK887jIcukLHQP33dfhLXx7HPRLSaSG2+4Iez73Kfnxlz29FNHILtLeOUrlQQsenVR2G+hqZxrr7km7L9VrZjBSPza0V500STo9OG10Ll7c9Vl/AGW1SKFYbeZYeDU/dC9nzIlPMb49jvvsMkp6OzIzFWRIflFFuwedNQAnHd+i7KkGMmi19Rz8EsSG4M6nvXgZuOKsirXXH01ZsycGXHs/33qKfYetDJvmjkj5vXTKCROa2uBjpIjRWlQGDsyKhQi6WmpuG/2LNR5RaTGq+bjFVOvR8AbHoyjWhSyBswWC9LS0hlegx50QoraNbPzqKPal0HZuE7tiez1+1kakIrgRMrKCAIa3T707tsn6npUnk0cH2S27iurhCSKMFvV+Muri5Zg787IIJ+J45SL4uLgUxS+TlGQw/NyD47jOizNqihEuKMoHo9QMX68sfTYY4Xaxx83BnbsMOjS03X67GzosrLAmdXgriKKMHTpAu+GDbqqK65grvtlt90m9HG5wqyNBQsWsIcumpx80jAMOua45n/++GMjfvzxx5iHeOutt0X89kgr2DaLD2mfp1w+GQmJLXD+pUuWoLS0tPm7l9wBrx+VDR6kuBJw+eVTwrb1888/ockvIjM9FS6XC3a7qjAkzS0lmdnqYSZ3d+MGlSiJ4hSSKEMUJaZIvKK61vwF4fGb++fMYcccb7cyikSqQyJVQNaXx6deu2fmzsUVU8OtLQoGf/f9D4i3GFDn9WPkySdi0OA2uxQW5QIAACAASURBVGJc3dafHSVHgtKgY3h+fwvdc/9D7L22wQ2rUY+V3/2OlZ9Hmrv5+XmwmvSMsYtuCj3oFOQihRGsdu3Zszd0hv1zBW/ZolZc+v0iGhsbmcIgYA5VdvoCfvTt1z+qn3nPvar1U1nnRlNjIyvucsXZ2G8E0okmZ9jtUrZez9dIEhtg3XieM6kp1w4RzmpFIDdX73n/fYNSU8MJ6ek8KQohOZm5LojiAlERoCEtDQ1vvCF4v/iCDoW/4847w5ahVOXS92LjMKZfNT3s+7xnn4257ORLL2WYmFApKtqHn35SiYmDmQoumCXhOVzWShG8qlkmZGHQfaMYQmWVyu41ecqVYctSK4Yd27bBadLDalKtUDG4bW2ZLtkZOOHEU8LWW7FiBXtnSkOSWIaOChtNRj18soK0FBcumNjiDuXl5SEvPx9mndo2l2Bbkiwx5WHQ8c048EWvvIyBrapzg+OlpkGNB1173fUxrx+Ao9v6s6PkSFAat2jItpiSmpKCq6+aCo8ow+VUo+z/+Ed0w6SkuAgWvcDSrXV1tazS1Wq3M8wGA2ixmpV0dOkSSQLTWvbs2g2fRLOVh/GD0jYowGo2m2ExW5CTmc56loTKhAkTkJmRgTpvAJ6mJijE6aHXw8hz+PLrX7F9cyRmwc7zymlWK2olibkiZHUkcRzn78g0K3VgM5nAJyWBo4KqGIoiTOh/o5EyD3z1jTfSoUgTrrlGaA32erGtgOWlF4e5Bcvee48RKUcTV1I8xo6L7F75gubzU9yR0qmEwwhinlojPp9/Xp1/aDmKIVCAUxID2FdZi1EjTkTPXuHW4dZNqtWnC1EY+hDFRHLZ5PDMxSsvq3ENIw9mZZD1QFSQZNV6/Kq1ccst4a0fvvlKVTQU+iB3hs6FeFWJGlH0SahqUvMk3333XXNWh+SDDz5AVXUt0hLszPqZeOGFMJpipvp7apmUwyp/tdKgs//X/ha694EH2U0kEI7FIGDZx99iw5pVUZctKS5GRW0DfH4fDAayMBwMFWoyGBgDV0BWZ5H2ZFB27tqJvIJCZqlQkRSZoBTMJCVGnNsmPY+cLjlh6/zzbpU4t6HJA6/HzRClaUkqG9UTTz4ZdT9j7HYpVa8XGqi8X1Hg4jg5ieOUI4KEkvzwjAz49+7VeRcskOMdDvmMQYPClAZBo0vLyqKunhDnwAUXtOAkaGZ+883o+BSSaVECokuWvMvS6bz20PEhOIyjBvQNK7EnS/OXX1eze9zQ0MjcSsLZUGCc1m9tmRDvKEIURFBhMNY37ceLJl0IQddSt7dn7x6sX7+ebY8sT6qApqplisEQVwoYNOAERpwclHnzVAvLZtarFoZe5ZqVtUmJFBu53vHxcfjqq5Vhx7j4tUUwCjz2ldUgKd6B4cNjZlfpkKIj2TpQ/mqlceH+Cm5Sk5Nx7fSrmO9JlaZNAeDuf8fWM0TaW1y0D3ZHHOPe1Bl0MOn1zDpg1ZHaDEVlzPuTquoaxilKmAyKevO8wHxfQg42NrnZ2qHB0JNOOhHHDR6EOp8E0e9jEXlHnJNZPhu35mLl55FmfIIgyIT+rJEk5un6AaUbz1NXpg5zTQ5ZiGjHbkflv//NQF73v/RSBNhr8eLFMfdy/oRzw77PbwMiPn7cWDjjEsJ+owf//fffZ5/pIrXGYbTOvCzQ8BIUi6I0OU0YDNWrABe0Anr9sno1e+dDFAZLs0tKMwN6UmI8zjxrXNh6ixapbpDZpGeYDVKGZInSOpTtAEuTtmBVCLFKBEMmgWeWF68TmGVCwXWyPFj6VpGZhXrySSfiiSdb3Nj5z6kKJ3jBR506Gm3IJW392RHyVyuN/Z7g/Q+rgbAtu/YiIzEOn326Ets3r465fB3DZtQhOysDep0ORh3xWJpZPIOUBt0gEip0ao/sKyxQiX8VICUlGXEOB2PcDmIOeoVYLLffpSozin/QzGa2WJHhUq2MuU9H9+XPtNmUJJ1OaJJlBuRxcpzcleOYxXHE8BZQEDUxEWJtrc43fz43dMgQDExPDwuIBlOR0eTkk8IxEhRI3L07eqrWoBdYn5XWEkxLRiuKv/SS8GH07pIlqGloQmpyksq6ZrawTEVucRn69+qOk0e0wNa//OKLsOI4Oimq9yB9IVDPW+33yy+7LGwfb2nANiOnZnnUcn0OHreXKTmwtHv4Os9p8RyjQWAmk9dHKViRWcKEA6KAMgVuKR5z+223oncftcve7j17sHrNWnRJiUeN24czorhwITJUa/Z12OSvVBqUZB/T1gI9unXD9GlTUVhRgzi7Gkh8/NEH97vh8tJiOPUqo5TVYoHRZFCrVekGK6rS6NO3zbaHzbJ962bG4pWSmorEhHgW0yCloTeo5ioxloPNOEacetoZLO7i9XjYIEhJdrFBXlBcjbfeeDli21aeV060WrmglUGMXD15HtTP5Ejjx6egqKDXo1pNsXLPvPoqQq2NHdu3N9d/tBbKfJ12evitfuzxx2Lu68abboz4jVwgCiZGk2RXAiaEBB7p/rz60gusKpWC0L6AavVBw1LcGRIPo2WXvLuEfW5WGLIaZOVCYNznnjM+LFNDiNVPPvmEfRbIJVGgArdICeh0zA3u3jUbI0e1ZEEXL36dlTOQonGT2ySKDGVM7gp9Vi0OBRU1DezCrvjyC7goUA3g0YfUcU/ZuOMHDcCYs8a3dbvaLu09RPkrlcZD+1tg3kI1wLZrbx56Zadj+affYc3qyFx8a9m7R0UGWixWmMwq+S3YPEDRanWu6t6jJ8zW/VMu/rFxI3vwCVEqSzIC/gCbvRw2Fe3YtZuqNKZcORUOkx4VNfXM7ExMTEScBhKiwJnPUxex7TNsNjlZp+PIyhDVAI/ch+dp8B62EviDFrI2UlLg37qVk374QR55xhn8sO7dwzyob775JubW77wrnND5xRdeiBkQHTJoIIafFFky/8wzkUx3Xi0ievMtt4b9/tQTKhbGarcxJK7daoVLA9uNHzcmLID9rGYBsIdB4VgbBir+VTTgFtWK0KRwZauU6BPaPkwCx4KuBAAkuDqBARu9air1xptaKn49HjcWaLiWALNO1PgGWRgUE6H9+n0ByGIAxdUNjGnup59+YstTQDS3cB+yUlVv/tY77oh1qUnaTLEcqvxVSuNECgG0tQAVDI05/VRs2F2Avj3VG3znHbe3a+NF+1S0pcliVun1GV+2annQzfFLCovU9+y5/zJ5Yl6StW0xC0OvZ02YqNGRKCvMZaE02dnnTYBblKFj/KQmFkMJXtwPPvgwYrsOnpdPtVqVWs3KoIK0bEFQ0jiO7+jitA4TlQeCr37kEZWM56mnwmIbBBWPJaePHon0Vjwbb4VAqJVWwK1JF0a6KG+8Ec6jSgrD5xNZhuvkE49H9x4t97OouJh1hUuNs7GAeHx8AqzmlmDm5MtaAqK//fYrQwuz1nKCyhZA7gm9KIjq9qm68bJW7gZlOqqqqljQNSCJLChKFJNEOaloFi3FaCi+FpQgGC7BYQXH8SweQoqGp0B7QFSJmgUBnCxhT1E5evbogbfeUaEFTz/xOOLMRuwpqcToUSPQpWtMTpe2erYcsvxVSuOW/S1w9z0qW3VjQz3SEuLx8uLl2L3993ZtnEqlwSLVBgbZhUZ+SzeoprYOtW4v9Hz7MihkEufmFcCqA1MUVpuFWS8Umad+rC5XEh5+

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Avaddon_09_06_2020_1054KB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Avaddon_09_06_2020_1054KB.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (290) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe"	Avaddon_09_06_2020_1054KB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe"	Avaddon_09_06_2020_1054KB.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Avaddon_09_06_2020_1054KB.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini	Avaddon_09_06_2020_1054KB.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\Z:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\F:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\E:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\G:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\H:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\K:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\W:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\Y:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\B:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\I:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\T:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\U:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\P:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\Q:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\R:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\A:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\J:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\M:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\O:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\L:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\N:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\S:	Avaddon_09_06_2020_1054KB.exe
File opened (read-only)	\??\V:	Avaddon_09_06_2020_1054KB.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.myip.com
4	api.myip.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\bckgrd.bmp"	Avaddon_09_06_2020_1054KB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\bckgrd.bmp"	Avaddon_09_06_2020_1054KB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2332	vssadmin.exe
1172	vssadmin.exe
688	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Avaddon_09_06_2020_1054KB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Avaddon_09_06_2020_1054KB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Avaddon_09_06_2020_1054KB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Avaddon_09_06_2020_1054KB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Avaddon_09_06_2020_1054KB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Avaddon_09_06_2020_1054KB.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe
2764	Avaddon_09_06_2020_1054KB.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2384	wmic.exe
Token: SeSecurityPrivilege	2384	wmic.exe
Token: SeTakeOwnershipPrivilege	2384	wmic.exe
Token: SeLoadDriverPrivilege	2384	wmic.exe
Token: SeSystemProfilePrivilege	2384	wmic.exe
Token: SeSystemtimePrivilege	2384	wmic.exe
Token: SeProfSingleProcessPrivilege	2384	wmic.exe
Token: SeIncBasePriorityPrivilege	2384	wmic.exe
Token: SeCreatePagefilePrivilege	2384	wmic.exe
Token: SeBackupPrivilege	2384	wmic.exe
Token: SeRestorePrivilege	2384	wmic.exe
Token: SeShutdownPrivilege	2384	wmic.exe
Token: SeDebugPrivilege	2384	wmic.exe
Token: SeSystemEnvironmentPrivilege	2384	wmic.exe
Token: SeRemoteShutdownPrivilege	2384	wmic.exe
Token: SeUndockPrivilege	2384	wmic.exe
Token: SeManageVolumePrivilege	2384	wmic.exe
Token: 33	2384	wmic.exe
Token: 34	2384	wmic.exe
Token: 35	2384	wmic.exe
Token: SeBackupPrivilege	2932	vssvc.exe
Token: SeRestorePrivilege	2932	vssvc.exe
Token: SeAuditPrivilege	2932	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: SeIncreaseQuotaPrivilege	2544	wmic.exe
Token: SeSecurityPrivilege	2544	wmic.exe
Token: SeTakeOwnershipPrivilege	2544	wmic.exe
Token: SeLoadDriverPrivilege	2544	wmic.exe
Token: SeSystemProfilePrivilege	2544	wmic.exe
Token: SeSystemtimePrivilege	2544	wmic.exe
Token: SeProfSingleProcessPrivilege	2544	wmic.exe
Token: SeIncBasePriorityPrivilege	2544	wmic.exe
Token: SeCreatePagefilePrivilege	2544	wmic.exe
Token: SeBackupPrivilege	2544	wmic.exe
Token: SeRestorePrivilege	2544	wmic.exe
Token: SeShutdownPrivilege	2544	wmic.exe
Token: SeDebugPrivilege	2544	wmic.exe
Token: SeSystemEnvironmentPrivilege	2544	wmic.exe
Token: SeRemoteShutdownPrivilege	2544	wmic.exe
Token: SeUndockPrivilege	2544	wmic.exe
Token: SeManageVolumePrivilege	2544	wmic.exe
Token: 33	2544	wmic.exe
Token: 34	2544	wmic.exe
Token: 35	2544	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2384	2764	Avaddon_09_06_2020_1054KB.exe	30
PID 2764 wrote to memory of 2384	2764	Avaddon_09_06_2020_1054KB.exe	30
PID 2764 wrote to memory of 2384	2764	Avaddon_09_06_2020_1054KB.exe	30
PID 2764 wrote to memory of 2384	2764	Avaddon_09_06_2020_1054KB.exe	30
PID 2764 wrote to memory of 1172	2764	Avaddon_09_06_2020_1054KB.exe	32
PID 2764 wrote to memory of 1172	2764	Avaddon_09_06_2020_1054KB.exe	32
PID 2764 wrote to memory of 1172	2764	Avaddon_09_06_2020_1054KB.exe	32
PID 2764 wrote to memory of 1172	2764	Avaddon_09_06_2020_1054KB.exe	32
PID 2764 wrote to memory of 2620	2764	Avaddon_09_06_2020_1054KB.exe	36
PID 2764 wrote to memory of 2620	2764	Avaddon_09_06_2020_1054KB.exe	36
PID 2764 wrote to memory of 2620	2764	Avaddon_09_06_2020_1054KB.exe	36
PID 2764 wrote to memory of 2620	2764	Avaddon_09_06_2020_1054KB.exe	36
PID 2764 wrote to memory of 688	2764	Avaddon_09_06_2020_1054KB.exe	38
PID 2764 wrote to memory of 688	2764	Avaddon_09_06_2020_1054KB.exe	38
PID 2764 wrote to memory of 688	2764	Avaddon_09_06_2020_1054KB.exe	38
PID 2764 wrote to memory of 688	2764	Avaddon_09_06_2020_1054KB.exe	38
PID 2764 wrote to memory of 2544	2764	Avaddon_09_06_2020_1054KB.exe	40
PID 2764 wrote to memory of 2544	2764	Avaddon_09_06_2020_1054KB.exe	40
PID 2764 wrote to memory of 2544	2764	Avaddon_09_06_2020_1054KB.exe	40
PID 2764 wrote to memory of 2544	2764	Avaddon_09_06_2020_1054KB.exe	40
PID 2764 wrote to memory of 2332	2764	Avaddon_09_06_2020_1054KB.exe	42
PID 2764 wrote to memory of 2332	2764	Avaddon_09_06_2020_1054KB.exe	42
PID 2764 wrote to memory of 2332	2764	Avaddon_09_06_2020_1054KB.exe	42
PID 2764 wrote to memory of 2332	2764	Avaddon_09_06_2020_1054KB.exe	42

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Avaddon_09_06_2020_1054KB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Avaddon_09_06_2020_1054KB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Avaddon_09_06_2020_1054KB.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2764
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1172
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:688
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\246862-readme.html

Filesize
49KB

MD5
b6154de7f2ac7e8fe9dccd7b13b5c32d

SHA1
e9ebabcc960a65303eec6285c160467c02eed0b6

SHA256
b5bed7325bffbe40ba90d6ffd7c574cf260588da55282a8b6837b707930e8e3b

SHA512
16b1667b46c74840f06386d3cd53b12174843e1f4c80addc4edef3ea4e5886cac7b423e999fec5f8dab082f450ca1f87c27c3e6a47ab3bc58809c64827867c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cde4b6874d4b312b08d19e3566334c73

SHA1
49a0735776cee17b28fba1578272e200607e1651

SHA256
7582611259471b52123298e75c781b842a47f806d11637ba8aab7c3de4a33a83

SHA512
4336905485ff70354bb3ca6577dcb7f2c669a2d64bdfd0a9c1beeca8b8e279f50464782dbdc2f8eae8e3d064b35ee3a20beb824e3ca574fd96ab8b6d0b5d25e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4887.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4907.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Documents\CheckpointPop.xlsx

Filesize
16KB

MD5
ee6125a470b60666fead1489748e46c9

SHA1
e61ca2cc907b7aa647566a4c76ca93ef5f583d2c

SHA256
29c7e0ce2f45bba4f05598e5b5ac1decb80732aefed13b77b7e156567b8bd085

SHA512
c86ed8c58ab48dc5dea0d14060a324fc2ac9d318260cd7fb90263723099f4db2e383b4808828fa6e2e82cfbf2d317364ad4ed5aa8bc4dfabe328df49c4a92593

Download Submit