hxxp://crt[.]rootca1[.]amazontrust[.]com/rootca1[.]cer

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2023, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://crt.rootca1.amazontrust.com/rootca1.cer

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
20	3964	rundll32.exe
22	3964	rundll32.exe
33	3964	rundll32.exe
35	3964	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133323312250916235"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings	chrome.exe

Modifies system certificate store 2 TTPs 9 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 4b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000180000000100000010000000fd960962ac6938e0d4b0769aa1a64e265c00000001000000040000000008000019000000010000001000000014d4b19434670e6dc091d154abb20edc0f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b03040000000100000010000000c6150925cfea5941ddc7ff2a0a5066921400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191830300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\06B25927C42A721631C1EFD9431E648FA62E1E39\Blob = 040000000100000010000000e865a22aae524d26869af0448d6fd8960f0000000100000020000000c95f7b20f6fcd39fd3a07a2e44252423b634fdbe35e1e045d964deea626115cb1400000001000000140000008418cc8534ecbc0c94942e08599cc7b2104e0a0819000000010000001000000094ba2a8e68434595d5aff46246c54c125c00000001000000040000000008000018000000010000001000000014d4b19434670e6dc091d154abb20edc4b0000000100000044000000420041004400370032003500430038003000460039004500310030003800340036004600330035004400300033003900410039003900360045003400410038005f00000003000000010000001400000006b25927c42a721631c1efd9431e648fa62e1e39200000000100000096040000308204923082037aa0030201020213067f944a2a27cdf3fac2ae2b01f908eeb9c4c6300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3135303532353132303030305a170d3337313233313031303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a38201313082012d300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08301f0603551d230418301680149c5f00dfaa01d7302b3888a2b86d4a9cf2119183307806082b06010505070101046c306a302e06082b060105050730018622687474703a2f2f6f6373702e726f6f7467322e616d617a6f6e74727573742e636f6d303806082b06010505073002862c687474703a2f2f6372742e726f6f7467322e616d617a6f6e74727573742e636f6d2f726f6f7467322e636572303d0603551d1f043630343032a030a02e862c687474703a2f2f63726c2e726f6f7467322e616d617a6f6e74727573742e636f6d2f726f6f7467322e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b050003820101006237425cbc10b53e8b2ce90c9b6c45e207007af9c5580bb9088c3eedb3253cb56f50e4cd356aa79334963221a94844ab9ced3db4aa736de47f1680896ccf280318834779a3107e305bac3bb060e077d408a6e11d7c5ec0bbf99a7b229da700097eac461783dc9c265799303962968feddadeaac5cc1b3eca43686c5716bcd50e202efeffc26a5d2ea04a6d14588794e639315f7c73cb90886a84119627a6edd98146a67ea372000a523e83880763778969170f3985d2ab08454dd0513afd5d5d37644c7e30b25524429d36b05d9c178161f1caf9100224abeb0d74918d7b4529503988b2a68935251e146a4723312f5c9afaad9a0e6251a42aa9c4f9349d2118	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc5c000000010000000400000000080000180000000100000010000000fd960962ac6938e0d4b0769aa1a64e26200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\SystemCertificates\REQUEST	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\06B25927C42A721631C1EFD9431E648FA62E1E39	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
820	chrome.exe
820	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe
Token: SeShutdownPrivilege	5092	chrome.exe
Token: SeCreatePagefilePrivilege	5092	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3104	5092	chrome.exe	83
PID 5092 wrote to memory of 3104	5092	chrome.exe	83
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 1472	5092	chrome.exe	84
PID 5092 wrote to memory of 3092	5092	chrome.exe	85
PID 5092 wrote to memory of 3092	5092	chrome.exe	85
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86
PID 5092 wrote to memory of 5048	5092	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://crt.rootca1.amazontrust.com/rootca1.cer
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff893729758,0x7ff893729768,0x7ff893729778
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:2
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1320 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:8
  2⤵
  PID:3956
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\Downloads\rootca1.cer
  2⤵
  - Blocklisted process makes network request
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3764 --field-trial-handle=1836,i,2525680638455067937,7437492450921996497,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9469a944fe27bbfe19a869ab1588a883

SHA1
f5eacc81796c6489369b895d3afd86ee22b64fde

SHA256
cffb3b41b080ee5461e3e19a5f1862ace4ccb6fc91d7449b7dc3720fb8d33b82

SHA512
9a80043dff523bb2fda1b5507adbb51efbd39ae3cb769cccf3e8c2129659da41f8419d8c0507be6b7422b818791bab489e8b4ae00ee47ddfca86b9cdaa200406

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a5dc4a3e7057353f633eed99d178ca72

SHA1
0f73768bc0b515a059da39f78dbbe867b3a1b596

SHA256
0140b031532152738927197ef55396fad62385dd5d528254bc4601332723085f

SHA512
6033d86e43ec4c86f4ab5103d85cbaa803504a88cf08dcf22cef6ceeed0f5393e1c39d4c05a08e76d64d86d29e508812e78f8cc02f7ffae2cd673511ab6cde6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
56479744b1442a24ebb4a6b0c038c4ad

SHA1
dfae670ec310e6183439c76e3de9e6034763db20

SHA256
f81cf30fc02803318a13e66a303bf3902f54d014d88e8f35a0878966e607d212

SHA512
e88473db84dc1e38927b081879bbd3b8e5b891a7b218c5700d7e2585b61a7720e52ea767f29609750a2cc1d369f235adf4f8a684a02b6a9fecb2d2483e94e345

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2430f7130a9e7c996291015fbbaffcb2

SHA1
69f9a0e9548cb447b294259be3fdc0372ca294d5

SHA256
fcf53e12bdbb430d66df8616ecdf980f56109397deef7e2354c7afda89daa260

SHA512
32e47dbfd69da77e440cd5e52fd2bb4283b131ef37aa58ed4770b7bb180c2334915ede4e56b9694555083a03f0f11279d66c79e3d0e433f7ca88471a1f405d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
f8764cfbd20e88d534a15eb9afe21a1a

SHA1
19bd7b4bdfd962b819bd54a5928bdbd9292c3173

SHA256
21dc841bb0ad7c13f42252f0ecc8946cb17454f4abaaa1fc1ddb8bef80ff52af

SHA512
34445937c9ba78d9c4f1516fcc4edde4992a7e93085ae6c1429ca29fff6a82ec5590f25f95d76baca2d74b028122831f0b16c0c8dd66506e68ab34ab7d175405

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
8b1308211f54c6cbbe8507877ed8b5f3

SHA1
919e07058dc52ce0d7d2b1e553a59dfd3facae13

SHA256
49968bd5a0030376e8f1fca238e4271a1f479a40f24c1b4eb1bb453b9ba61f03

SHA512
5c3dde5a2c2fe29c28935e8ad3a7dd6e75bf469a0f81f8232f856ccbd9ad3d06d9470ad98e1b59a44912ee198bd48dd9094239bf4451bb3ee42a781177215afa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
176KB

MD5
05392821cbfec02a576c812d6e486667

SHA1
2b47d2a0680c886254a646f9b52e12f87105bd62

SHA256
fa1977af19160e8dd90223e88db7879919366e456ef00282069093eecb653168

SHA512
8abf1a2e3891303bc8f4ed53f781d37a1de1dae2f2e139fff76b10db51aa547137f21ef5d21aceecc71f28d5d8d3418276ef9272591e90b52ca01988fb1e2096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
b0d5e16985819c05ad8bac53fe5eafec

SHA1
1735b0f67e33dc8690182979bf7065d1577ef7f3

SHA256
e1ded72faee2d1d24cb9a81c3fded32814d5a705b16b16285b76b69c1099dcb3

SHA512
d831bd1d1eea56e5d825f49bf218338f5d44093b94bc760950eedbaa4ea33fe10241cc8a312f47856ebd3d4432456e6071d16bf56d8501e3e047398f6fe94de3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe573885.TMP

Filesize
102KB

MD5
bf2ed9aa4a863fe62a74476f1eba6694

SHA1
b883693c04fa329e37806e36ce49953ece0841ed

SHA256
839d631e5563fc23ca305b42f753c3efbdce873b3ab8c58c655b5b792a269598

SHA512
310eee8a83b1677dfef216a844ec6dc8fca955e7f733542929d6c9927fdc8f3c3f16fa83f5a4e6d8886daf38013f4ca81321202faa68c2c9c53a8213f0060023

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\rootca1.cer

Filesize
1KB

MD5
e865a22aae524d26869af0448d6fd896

SHA1
06b25927c42a721631c1efd9431e648fa62e1e39

SHA256
87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706

SHA512
35205b5bd20b61c32c75d9cd21eab933e0e868e2b0f0ef3467ef92069751b73bb2eac4e7c64fbc00880bd0c1eade9269b638da5d01c2da75d4b07620c2e63434

Download Submit
C:\Users\Admin\Downloads\rootca1.cer

Filesize
1KB

MD5
e865a22aae524d26869af0448d6fd896

SHA1
06b25927c42a721631c1efd9431e648fa62e1e39

SHA256
87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706

SHA512
35205b5bd20b61c32c75d9cd21eab933e0e868e2b0f0ef3467ef92069751b73bb2eac4e7c64fbc00880bd0c1eade9269b638da5d01c2da75d4b07620c2e63434

Download Submit