hxxps://gofile[.]io/d/2DDghj

Resubmissions

15/04/2023, 06:29

230415-g89aladc88 1

14/04/2023, 01:53

230414-ca7xnagh7v 10

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2023, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/2DDghj

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Tor_server.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1084	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	firefox.exe
Token: SeDebugPrivilege	1124	firefox.exe
Token: SeDebugPrivilege	1124	firefox.exe
Token: SeDebugPrivilege	1124	firefox.exe
Token: SeDebugPrivilege	1124	firefox.exe
Token: SeDebugPrivilege	1124	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe
1124	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 3744 wrote to memory of 1124	3744	firefox.exe	85
PID 1124 wrote to memory of 2164	1124	firefox.exe	86
PID 1124 wrote to memory of 2164	1124	firefox.exe	86
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1004	1124	firefox.exe	87
PID 1124 wrote to memory of 1200	1124	firefox.exe	88
PID 1124 wrote to memory of 1200	1124	firefox.exe	88
PID 1124 wrote to memory of 1200	1124	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://gofile.io/d/2DDghj
1⤵
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://gofile.io/d/2DDghj
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.0.494701400\774066196" -parentBuildID 20221007134813 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9bac71b-584f-4369-aa2c-ace91461b132} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 1924 17f69e19258 gpu
    3⤵
    PID:2164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.1.1251104140\1868731826" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56ca6bdc-41f2-45fe-81a7-818ed0253e8c} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 2424 17f5be72b58 socket
    3⤵
    PID:1004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.2.391402499\1150161720" -childID 1 -isForBrowser -prefsHandle 3172 -prefMapHandle 3276 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d8e76bb-94d6-4833-a7c4-bfd96f62227a} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 3236 17f6cc0d758 tab
    3⤵
    PID:1200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.3.1566509375\514054257" -childID 2 -isForBrowser -prefsHandle 4012 -prefMapHandle 4008 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {559f633c-f0d7-425c-b6b9-4624202105f2} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 4020 17f6dd54258 tab
    3⤵
    PID:3152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.4.644441559\609630893" -childID 3 -isForBrowser -prefsHandle 4680 -prefMapHandle 4684 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4857014e-5160-428e-b318-3f80d48f8c92} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 1664 17f6b547258 tab
    3⤵
    PID:4716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.5.1306255131\181868465" -childID 4 -isForBrowser -prefsHandle 4892 -prefMapHandle 4900 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {237de8fe-9c17-4ea9-ad89-d929414bfdc8} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 4992 17f6cdea558 tab
    3⤵
    PID:2960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.6.461213170\91134755" -childID 5 -isForBrowser -prefsHandle 4760 -prefMapHandle 4884 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6782589-dd3e-493f-a860-a27e405d895d} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 5208 17f6f055058 tab
    3⤵
    PID:1036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.7.435243360\1954787718" -childID 6 -isForBrowser -prefsHandle 5632 -prefMapHandle 5136 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d292e158-61ea-4146-980c-addd6f8c1008} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 5672 17f70c78558 tab
    3⤵
    PID:4788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.8.1898837711\253403280" -childID 7 -isForBrowser -prefsHandle 9464 -prefMapHandle 9468 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0aa7de6-2be5-495c-a308-e368b1a773b6} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 9456 17f6fcdcd58 tab
    3⤵
    PID:2636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.11.1932733881\1072005123" -childID 10 -isForBrowser -prefsHandle 9220 -prefMapHandle 9212 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9cafaa2-b1ff-45a3-9ed2-7a4a4e5b8a29} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 9136 17f71e20258 tab
    3⤵
    PID:1864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.10.1273179041\782032576" -childID 9 -isForBrowser -prefsHandle 10048 -prefMapHandle 10056 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {907e3022-643d-4ff9-94cf-91379fecd941} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 9852 17f721e6b58 tab
    3⤵
    PID:2228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.9.1054854211\577520367" -childID 8 -isForBrowser -prefsHandle 5868 -prefMapHandle 9404 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aba98027-6ee8-457a-b870-5e8a0833d668} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 9360 17f7212dd58 tab
    3⤵
    PID:2688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.13.1833356795\1995344111" -childID 12 -isForBrowser -prefsHandle 8804 -prefMapHandle 10080 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1193f2ec-29f6-4146-8f31-a31f43b206db} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 9404 17f6fe87258 tab
    3⤵
    PID:5164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.12.519095728\1104681341" -childID 11 -isForBrowser -prefsHandle 8888 -prefMapHandle 9904 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a5be7be-44a9-4708-a895-ab16d342cb23} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 9208 17f71e23858 tab
    3⤵
    PID:5136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.14.302773536\810676033" -childID 13 -isForBrowser -prefsHandle 8740 -prefMapHandle 8736 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {047a611a-168d-45f1-aba9-e938830e4c74} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 2924 17f6ec7db58 tab
    3⤵
    PID:5668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.15.1986617038\753489554" -childID 14 -isForBrowser -prefsHandle 9504 -prefMapHandle 8344 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14a252ca-74ce-479a-ba8a-02a67ab77a8c} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 9904 17f6fb63558 tab
    3⤵
    PID:6108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.17.1310397559\1362595929" -childID 16 -isForBrowser -prefsHandle 8060 -prefMapHandle 8056 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5dbfb27-23a7-4b4a-86a7-ff2512c668b0} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 8652 17f6fb63e58 tab
    3⤵
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.16.1994956589\1289504302" -childID 15 -isForBrowser -prefsHandle 8228 -prefMapHandle 8224 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1453c9ef-9fbd-4289-8058-435eb1017b34} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 8236 17f6fb63b58 tab
    3⤵
    PID:6120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.18.771780668\797591933" -childID 17 -isForBrowser -prefsHandle 8024 -prefMapHandle 2880 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7430fff-0323-41b6-ac34-6db33ffd8be6} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 8036 17f7329d558 tab
    3⤵
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.20.440987656\232421619" -childID 19 -isForBrowser -prefsHandle 8036 -prefMapHandle 8196 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41a5167e-f4e7-476b-b652-e5680d0e222b} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 9128 17f6e8bff58 tab
    3⤵
    PID:6632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.21.811262608\703813480" -childID 20 -isForBrowser -prefsHandle 7536 -prefMapHandle 8236 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0148c4cb-9f7a-43b0-bcfd-66fec06b8fee} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 7528 17f6e97d058 tab
    3⤵
    PID:6640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.19.1493873015\1494803255" -childID 18 -isForBrowser -prefsHandle 9092 -prefMapHandle 10040 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c43844e4-b6c6-4c47-b674-fa9809ebbd8a} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 9952 17f6902ec58 tab
    3⤵
    PID:6624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.22.2135211897\41063966" -childID 21 -isForBrowser -prefsHandle 7156 -prefMapHandle 7160 -prefsLen 26851 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36960448-19f2-4b6e-8be4-6aad3011b966} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 7148 17f70589458 tab
    3⤵
    PID:6216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.23.1333459782\1761058250" -childID 22 -isForBrowser -prefsHandle 6988 -prefMapHandle 7072 -prefsLen 29386 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31f3c399-0667-4d70-8902-523f7d53d8f7} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 7076 17f6fd3f658 tab
    3⤵
    PID:5700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7080

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Tor_server.zip\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp

Filesize
138KB

MD5
530a42e3094de775992bc22ba5ea55ec

SHA1
26542853af4ee9a3956b1c530de78426c35db424

SHA256
1d2135f5bb9fea0adf27f9e9f658f05f326f8184d48041d7561b508e8d0192e7

SHA512
87d5bdfdb4f5f220495b20fdc1ed7be04ba174c5e2745553b7a8513965bde3213f20e81b13cdf3643f15c6c6f4d374e7c821ccfaa3d7e63281e5027525ab179c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\14603

Filesize
14KB

MD5
3a76dd1ccef78852edad87210f6ffbad

SHA1
89b7ec3bf17a849bea2320f6bc938ed15fe0503e

SHA256
ffe1a0d2b8d5acaa879334dfb3d01548547cdaba78a52d39ed7d72b6985c17fc

SHA512
6d3c51befa6feb1dc0d98a5aa139768333e439eb0c17160b6064560a6685130910f448e38128edf5e784cd7417b62d83b6a856dc4283857b312b379c210f669d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\20601

Filesize
9KB

MD5
f131bf49a39b8fe4215608cb2c6342be

SHA1
ee2172afa36194351e61ee6832e66591c11719fe

SHA256
fbe7511467aba0d74a76ad7a2b0000acb819e2a10ebe408eacc4fbb54a717aa8

SHA512
18683bd506beb8ac669f8481de45452abff7c62bb44e0a90fd9906a52d66b5be6acb8e2f47f599b5673e3fed16e6406e8303354469439ce3d73d24f6649484f8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\21835

Filesize
8KB

MD5
eec233621b7d7fa73b530d503bab7c14

SHA1
772170ee3690570634b4f2f3f1f7e27ace71b1d2

SHA256
ae7d72bfe125dec7cfbefa3e53329fc27e7594136ab53f0c67bbe4c58c41cb01

SHA512
662e8c55a06076617942b7f72271211ba9fae32c55d5c497eb4d02c2adadaa3cabf043a424a346c07759a79d9a69379ea97bbf7dd81e066fe3409c8b93ba2cff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\22609

Filesize
8KB

MD5
6c8ccad653ed2b53a7e2f0902adb2d20

SHA1
73da91592d67e8eff77b032e2232719be2505521

SHA256
d2387c9b65ff8460dad938af94347670c5befd349cc5fc83c0ed25f0014c2ac2

SHA512
abde03557e6ee4414829b5e3396881cdfa8b76cbd5c665ad6eb9f6439c5f3fa8da5cdc5e205b13348c5be625df4cbce57181710ba8d868eee3b299a2dc9ab16b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\28523

Filesize
14KB

MD5
044d51db083a5ec173d87e5201dacb76

SHA1
545eb9e26013445ef7b885fed84fc475a777478c

SHA256
46fa62575042498fb07f705847d1a1002b6f14ec9ed9bbb54c9b50726f054c24

SHA512
e9deefce90bdbdd8083c9f1c626218ee7b1f0743db558667b2ea2de40ad7172fb93d6b8dcf142a09007252d72a22077c482ec9c561006e20fbe987847815e129

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\30622

Filesize
8KB

MD5
78394845308e66cb1ef7880180dbb173

SHA1
079e3c16aecf746f9b89718dd033a3b875ceedbb

SHA256
7a63b82d0a3e05a1d9de9886c0cde57a0bba18d7cea778155a5a5adf3453fc78

SHA512
86e3a61ee6609bec4e06bfff00882417908a5950130bd4b2010f90dda8739fa22270eef99975abff721658f223fa34c569a038ef25657acd76857eeddd7941ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\32631

Filesize
8KB

MD5
c4c3b018774cecbbda9d7ab55263a960

SHA1
dc6fdb22e49b47a8ce1864080c1647bdfed89771

SHA256
ef28c09633fc4134ad4cfab887e8d47ca6721bca74c2878bf08096c6ed789344

SHA512
13a39bd55840d28b9b95318291644ee193cc3679841d7347c2863db9e511b94d87bd581c4e323e0c2a4dbdcfc4fa4f0248e13676b3110c5d7a8b5418cb23a0a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\3773

Filesize
8KB

MD5
f13fb1c5bcba9c3a06fe7c2d46d00f5b

SHA1
5024e3354e1669a11b72b642c27f12ed9b19f8e7

SHA256
3df97c68943f543d3c5887e283bf92ff8094a7f96f735ac407ca1f43fb47aa4b

SHA512
fc68e930164115ddfcb35bdf578f8584be61c33c35441a6ca88b4aeea1e35d1067de868c2f6893818255490d3c2fe011a39d086bbf5f2fa7383e57ff09045cfc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\doomed\868

Filesize
9KB

MD5
a787fcf9b7e59f290c0033e4bfd2c939

SHA1
4836d89a74523445d3951c8baeb5f9da3f4618a1

SHA256
5e464b49c6ee5e777faf836ca14c51bdc53d5dd0eead88e2dedaf9dce81cfc2f

SHA512
4740570de07fef9597078f645adde80fc30069b4ffa07bad8f2e12e0aa228bec3704c4039c383ee365d3067b710867ad7f64c0d5dfcb669dee9d81d6180f20c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\048704B631421415576B569173F0B95063E06A6F

Filesize
98KB

MD5
cb084a78dbce2dc67f7a6f0c3e6ed1a8

SHA1
ad864acbc44e8b1a1741cc441016428246095a08

SHA256
d3b2c49275e1520fc1fd89f8bddfff823bec4acdb3560f890c05e9d5175819a5

SHA512
575e832f63d16fc7606c755a03ec8e0cf36480796928b7a9291ba28ae824419be81ca0856ae0b936b2df2a6ba309856873007e11b8d762a5842bdc9058e93add

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\49D987317101E337FE520EB1996EEC9C7390C103

Filesize
14KB

MD5
ca619893f5c4654579bc453f434d0b45

SHA1
7070b4258d4eac08aba90b55060def8a2d04f9ff

SHA256
29da8df956b86e4c90f259fa40c7af76c80f2712379ab314cb57212603697e84

SHA512
b24709f01832aff2382d860f90df379c531e6d25c015a386e57a386c3a7d346e816cef31213d7cabb5614564e00b674b41e7390dd54c6f2159b07373ad23a0bd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\5E820CD0C6E850FAA17FF7C425D80C1C5F1ACEFD

Filesize
809KB

MD5
496f14d4fe8a6de50cabe81f77366562

SHA1
b30039faabf594f56ed08cdc8dcfcd9f5c760f15

SHA256
52826123663673892b753df5e395f50254f879687b1e268aa4ad66c77facb2f4

SHA512
36808c1a5c653d1536b7b82ef693516899ed3d4df2e5d08c53801bbe73fdfc3712fdd2624aefcd6249b8f6960e81ca1c4793430d462b4c91c89b0613d67544af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\6CD9F24696BA003817480F4B79632C293C729B25

Filesize
116KB

MD5
74f34040ca00639add02edf2b4f9157b

SHA1
b0f14fb9df91bc9f3c1465311f34a7dcd703e75f

SHA256
c82edfe0929c651a8321b9c9a61e894d8894e7e234d5bee625dd95771a96bd9d

SHA512
1f49042e81252494e1e88a3fdc2f6f72cf17d35be7e445f4fda95f9423f9308c20219acc7f416dd451c202835b34f82dd9d57140fdec39a1fbacc0954271e31f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\A0C3304715C7E8A846A78FD92D07A9644ADCC6D6

Filesize
15KB

MD5
86f59dceaed2aca21750da899a7c00bb

SHA1
80af3b4ac98362dafe0a10800b4bc4d58b70e333

SHA256
e9fc15e4599b4d65e4d5ff5e5001bd7230c6af35a327040f9e4c00e26713015a

SHA512
77e6e6faad48e3636abb31cafdcd899338452990f6ee8f6bd2a7f99a8915ae81219dbf0597164e3ea555cc727bd50c7f2f341a9c12797582644a7a063f8e2ec5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\E177752BD1D520386863FFE00145516252F6E66A

Filesize
116KB

MD5
62a942da5525dc3da6365fce742c12bf

SHA1
6bd617939c30960f563a11daccef8251ea36f7af

SHA256
88e0fbbd3d2bfe9191666cd2b66d2a2907c1b580f2133ba83ef9d45e35227d18

SHA512
10f0d7e68a5748dbb490a46b187094dab9e7b456f242be38e7a689cab23a1f869a65c1cd433e27ab30635e3537567e6732ca19b65b21a8a793c5d08f609a63c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
c385520d5521431f66a3fbeeda4507fa

SHA1
404607bcb77d209c39e56ab96122cca24dfbafb3

SHA256
84fb396d46deb015bddcfa07cae933f763042507a386c7869b588e4bbb005f84

SHA512
4c3fba4a024bf665a7c8c94f6da1bc21360b69106ede3000f32351602d3a0bc9a6fb638417b98a2e50610d246bd306b7811e9e774f62102e22eb8069415252aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
6KB

MD5
620d74b4eaf9a9b1a04712060e5a1822

SHA1
c93573f6e30a9690cfc58934cd987d8cd260a091

SHA256
4921aca71ead09759619909aebc117cab5b2d0ff3b8f64f5cfb70c49f3cca81e

SHA512
14e0696e543d6ce326f293399a8988f681e79333b834f2fff5f89031cb96f1b5d74b3f6417395c2ceb64db21c2f63fd29e0e588fd75ff140ef71c66bde95fc1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
96a9161dbc573ad22b85c95ca1cafc00

SHA1
e7769d93e7ce4d479072337512a7f741a584613e

SHA256
60e84e6bef9cb19c0cfb44a67f8b5fa5edf16fd9431b2ffce62656b555769d4c

SHA512
17cdd3a8eebfc6a30622909c7b9b68a4522eb0ccab9b431c7c6eb7d73aa3cf30c219b4a64163fc50c06d615636b6f6dc38af74c895d0ab9a2809968c88f62eb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
7KB

MD5
1fb79f5b1a95bd4db70b2f36e6cb3d57

SHA1
3e66e9ab9ff57e3d4b8c621f34580de6695a4952

SHA256
f66844bac2725947528a5c6dcb0e15a719071dccb1d71f6b4ec853ef9e2cbce5

SHA512
1676d8a2857e2f317654018ddb08a37a2267aad0acffe26f86533776b94fc5bd72f2d2b28831c4eaedc74518930ad1fffcd4542cab95de958f75ec83350c35d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
10KB

MD5
b0da1a9fccccd359f69c310167c42102

SHA1
a16620ba701ba67363ee1def7bc5bac4f2469b84

SHA256
ea7814b59165c299509fad85f735cc205a3188b7f5ce0615439d35e4cd30c259

SHA512
5d3f46be1bba6352e442c658dd73d2757781f52ac489577a6a03ebf12d4da8cd5115298b8080c3e6d6cf36674654545d3d74f4d2f1b9b812a0e022d39800af06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs-1.js

Filesize
10KB

MD5
4e297ed912aab42088cf6ec0983a9f7d

SHA1
c1d537b897f5c03c43c708a28b7d93ab0b32d178

SHA256
5e87c6f89d6566febdcc49a44c5fb30abeff8ad9ca1821684b968d3be54028da

SHA512
8132363e7a0825ddcad0c91ef9a299ac98b74556a6ec6db6f039ea23d9595a1427fb82ccc8950d86738a4ce8a292c782931f2d9dc36c24765adb201d997d9e78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\prefs.js

Filesize
6KB

MD5
fcd5f37e5e4066f7cffe8eb106b6ce19

SHA1
b0a1c4d3d5c96271429fb09cb71055d177c13402

SHA256
38dbdb91f24f8e138803d71d0f7e4758fbb78e7f657208325fe30a501e225c67

SHA512
afdf7697bc784c3c85f30a8a1e4caa32459cf7f19c1ffacde04f62f089218ff1899ffe69fc465677d719546c8f91bea0d04807b13d58096f79aeba8eef0a0a15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
4269750c3a33441e9dde14a3e0a3ca8d

SHA1
2aed3a980bddbcba617e2270c43a56ccae21e255

SHA256
0098516b065814b0b1dad59ee165a38f464726412f3c7f461fc9341e98b60681

SHA512
9da58daa60ae2376a18941b9499a570aa3f26ff7073c7ebebf44540415c5137c68e467c049f9d2e81915d952427e54fb737b651735b81ce271986aecd01ad020

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
742ceb3c003867466863b40ddabe79d2

SHA1
4e39fdff4c3160fa686693d79c95e3d8a458014d

SHA256
4fc613a05293c79fa5f841f53bb5ec0a19fbce19acec1ebb46378c83891a0a46

SHA512
3dfcaf72ec1a6cc34105ecd8f4f808eceddb966b4c98aa3856aa63c9144a261e5c5375bde47b1f1e81bdf63ea6cdea474227bbfe9e46b79823263e6c1ace7b23

Download Submit
C:\Users\Admin\Downloads\Tor_server.Tnk4qZ1_.zip.part

Filesize
112KB

MD5
79b0f4907148abc83ff59f94c70b8c4e

SHA1
4add6b17592f000c16362eb974cfb3ef56e65369

SHA256
84694ac980c940f75b8f3b30b0b1ef5cb05f12c249e31eb21289d4f59022e190

SHA512
3ed2f128f23dd682ebd66b341dd2df4400560ea207e5f47510c77ced08b6f20a08e330e87a08658cd4164b5ab169a898e3be96f5eff2ea3df3fbeb58eb6c44a3

Download Submit