03a9b3163071ecb41e20b95eb664c3165b9fcaba89f5e5433484d65e8cfa0380

Resubmissions

26/03/2024, 18:06

240326-wp3q2abd3x 7

26/03/2024, 18:03

26/03/2024, 01:20

25/03/2024, 20:21

25/03/2024, 20:21

25/03/2024, 20:20

25/03/2024, 18:59

Analysis

max time kernel
150s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
26/03/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows11InstallationAssistant.exe
Size

4.0MB
MD5

9efe0c8b7f96c1a7d5bdd52bf07d009d
SHA1

dc6ff2f1c0af472cdc81b05f876c10420a6bbb78
SHA256

03a9b3163071ecb41e20b95eb664c3165b9fcaba89f5e5433484d65e8cfa0380
SHA512

b66772e1faeff8c607b6624106530945997fe2105569cbf92cf0eaa31f7bd02ed46b74bae6e9d79b6f51da76445564ed73fe9eb2a6507e3ce5d543781ba227fb
SSDEEP

98304:Fguv/rctyMh4cCE3p8fuCNCzLX/sA2uQqvAVGht5f/LyXtcH//9:SVtyMh9CVPUDk+4QjyXa

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
576	Windows10UpgraderApp.exe

Loads dropped DLL 1 IoCs

pid	Process
576	Windows10UpgraderApp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentOOBE.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_gl-es.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_th-th.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\ui-dark.css	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_germany_region.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sv-se.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_en-us.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_lt-lt.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sr-latn-rs.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_zh-tw.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\base.js	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentDeploy.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fr-fr.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_he-il.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_nl-nl.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ro-ro.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_bg-bg.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ca-es.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pt-pt.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_hr-hr.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_lv-lv.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\bullet.png	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fr-ca.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\pass.png	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\ESDHelper.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fi-fi.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.css	Windows11InstallationAssistant.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini	Windows10UpgraderApp.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentRollback.EXE	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ar-sa.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_es-es.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_it-it.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktop.css	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_nb-no.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pt-br.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sk-sk.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\block.png	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_cs-cz.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_el-gr.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_eu-es.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_hu-hu.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_tr-tr.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\ui.js	Windows11InstallationAssistant.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\downloader.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_de-de.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ja-jp.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_zh-cn.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_en-gb.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_et-ee.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ko-kr.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_uk-ua.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\eula.css	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_es-mx.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pl-pl.htm	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\marketing.png	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\WinDlp.dll	Windows11InstallationAssistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_da-dk.htm	Windows11InstallationAssistant.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
124	576	WerFault.exe	80

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Main	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Windows10UpgraderApp.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{D89168B2-0D0F-4B88-B1FA-288F6D27642A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5336	msedge.exe
5336	msedge.exe
5672	msedge.exe
5672	msedge.exe
2292	identity_helper.exe
2292	identity_helper.exe
5556	msedge.exe
5556	msedge.exe
2156	msedge.exe
2156	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1684	Windows11InstallationAssistant.exe
Token: SeRestorePrivilege	1684	Windows11InstallationAssistant.exe
Token: SeDebugPrivilege	3020	firefox.exe
Token: SeDebugPrivilege	3020	firefox.exe
Token: 33	5428	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5428	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe
5336	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
576	Windows10UpgraderApp.exe
576	Windows10UpgraderApp.exe
576	Windows10UpgraderApp.exe
576	Windows10UpgraderApp.exe
576	Windows10UpgraderApp.exe
3020	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 576	1684	Windows11InstallationAssistant.exe	80
PID 1684 wrote to memory of 576	1684	Windows11InstallationAssistant.exe	80
PID 1684 wrote to memory of 576	1684	Windows11InstallationAssistant.exe	80
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 4156 wrote to memory of 3020	4156	firefox.exe	88
PID 3020 wrote to memory of 128	3020	firefox.exe	89
PID 3020 wrote to memory of 128	3020	firefox.exe	89
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90
PID 3020 wrote to memory of 1056	3020	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Windows11InstallationAssistant.exe
"C:\Users\Admin\AppData\Local\Temp\Windows11InstallationAssistant.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
  "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe" /SkipSelfUpdate /SunValley
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 1804
    3⤵
    - Program crash
    PID:124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 576 -ip 576
1⤵
PID:2804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.0.1332330564\1555734600" -parentBuildID 20221007134813 -prefsHandle 1780 -prefMapHandle 1768 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab2b522d-3134-4e67-b53a-aa26ef65c118} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 1872 1f3d65f2e58 gpu
    3⤵
    PID:128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.1.2030538970\1412325958" -parentBuildID 20221007134813 -prefsHandle 2236 -prefMapHandle 2232 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4deeaf96-549a-4f2a-a3cc-9797e439a594} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2248 1f3d6031d58 socket
    3⤵
    - Checks processor information in registry
    PID:1056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.2.670502585\996106030" -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3096 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42620f25-38db-46c9-a0e7-22c81c443140} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 3068 1f3db8f7558 tab
    3⤵
    PID:2100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.3.1222878333\598644045" -childID 2 -isForBrowser -prefsHandle 3108 -prefMapHandle 2864 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f293475-fc74-490d-a1b9-3685851396b8} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 3400 1f3ca65e558 tab
    3⤵
    PID:1400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.4.678665568\83985510" -childID 3 -isForBrowser -prefsHandle 4432 -prefMapHandle 4428 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a05b382-1b06-45af-a2a2-41f607be4b0a} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4348 1f3d9060258 tab
    3⤵
    PID:1860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.5.596166187\1892170481" -childID 4 -isForBrowser -prefsHandle 4872 -prefMapHandle 4816 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc5e7a8e-3b15-4b96-9d58-8b6e158ef16e} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4852 1f3ddcc0c58 tab
    3⤵
    PID:576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.6.650035624\327960179" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31314cf0-21b7-403e-b99d-3252ccb530e6} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5004 1f3ddcc1258 tab
    3⤵
    PID:3180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.7.1977142837\1581626313" -childID 6 -isForBrowser -prefsHandle 5192 -prefMapHandle 4852 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6869f02-2285-49a0-9aa9-89bf06922025} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5180 1f3de226858 tab
    3⤵
    PID:900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.8.348475052\1819595555" -childID 7 -isForBrowser -prefsHandle 5736 -prefMapHandle 5732 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa239bad-468c-483a-a795-30535edab94c} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5748 1f3df454b58 tab
    3⤵
    PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.9.198049130\247583586" -childID 8 -isForBrowser -prefsHandle 5768 -prefMapHandle 5896 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0635230-3c29-4805-b5ff-d8d696ae3b7f} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 5888 1f3df451e58 tab
    3⤵
    PID:4520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.10.892538723\1288908983" -parentBuildID 20221007134813 -prefsHandle 6208 -prefMapHandle 6204 -prefsLen 26204 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9da62a5-5a83-4f62-b213-821f1d369be7} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 6216 1f3dfa81358 rdd
    3⤵
    PID:4576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.11.154694048\969042726" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6376 -prefMapHandle 6372 -prefsLen 26204 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {564d7494-93e2-49ef-bb07-bf4acc48dece} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 6388 1f3dfa7fb58 utility
    3⤵
    PID:4452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.12.1097986911\1041839832" -childID 9 -isForBrowser -prefsHandle 6816 -prefMapHandle 2748 -prefsLen 26379 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a3f9f25-cbc9-4b5f-aab1-d1aeb179c86d} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 6824 1f3daa3b058 tab
    3⤵
    PID:5612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.13.1986389188\72838131" -childID 10 -isForBrowser -prefsHandle 6672 -prefMapHandle 6628 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab2121c3-1021-45b1-aa15-67b94215c511} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 6644 1f3de33db58 tab
    3⤵
    PID:5576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.14.1142271194\904206214" -childID 11 -isForBrowser -prefsHandle 2736 -prefMapHandle 4528 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b890087-20af-4d7c-aaa7-e67b8e0c15bf} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 7376 1f3de33bd58 tab
    3⤵
    PID:5592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:6100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000480 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb6bdc3cb8,0x7ffb6bdc3cc8,0x7ffb6bdc3cd8
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,9004989863493280553,14530515089382962862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsInstallationAssistant\Downloader.dll

Filesize
197KB

MD5
9e1b5963ac0c44bad9f119097ee0bfc8

SHA1
dd1a8692a64ddc5464c5b9737708e945668dabe1

SHA256
1b5cf5d28e4b20ed7d12e0f0acf3de6c19cd5694bb228266854d8981e528e4a8

SHA512
8ff0cbecb23373f1ce49122264fc037802916a821edccf27da879fdd67da2a38768f19a5dc4f17c9fcfa36082ea7b87506ea04314d58f2a646c8deb76f2be7ec

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
3.1MB

MD5
3fcdc472df51f8112f721ec1317a553c

SHA1
61ee70b1f21d9ae0d989c5e147b9780c8fe5a816

SHA256
ebb707dd3586d5c2f29088dd91e09d57b314abc8687e43ba7689a0796f8b8808

SHA512
f7bb2ef327cf6bc3454b7f1d345b1e0842a0717580ee4c88bb0d042aa2eaf84ac94920977d55e64e3b5f39d82f07f4dd57343c7a07f51b450a17683fd0c46113

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
3.5MB

MD5
a0e338a33da0fdb1bd4810aaec246e13

SHA1
6a8ece04dc43bcc91826765538b71c12c276bd41

SHA256
e4b69eb58da23e8a9006097eba6097f5c593a4a3583b7869c192b91a7f14081c

SHA512
250add3d86b0e1383339e26fd784b67a0aa3b965be0e0118821967b584466d011e9dca5db7b939cf615a192c18a77b14d5b8e0abb015b8f81b54b771994e55a0

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
1.7MB

MD5
cc7b2e643df5f1defb6e1acd96f4964c

SHA1
6190ab7e0e20ee3bd853452c045d84a3bb906f0d

SHA256
973c21c1d61b5b2767dbedaaff50404f1926ee1ffb3368a41d2faa046053da9d

SHA512
3f9d5da00c1317d38a20dfd2f96ba821e5da2d30f44155c97378c00918cde8768baaaadff8270a8c7086f9a6017d9ca247551ec2789b91464b3751c46b2e80ab

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA.css

Filesize
82B

MD5
b81d1e97c529ac3d7f5a699afce27080

SHA1
0a981264db289afd71695b4d6849672187e8120f

SHA256
35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

SHA512
e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css

Filesize
5KB

MD5
7f5fcac447cc2150ac90020f8dc8c98b

SHA1
5710398d65fba59bd91d603fc340bf2a101df40a

SHA256
453d8ca4f52fb8fd40d5b4596596911b9fb0794bb89fbf9b60dc27af3eaa2850

SHA512
b9fb315fdcf93d028423f49438b1eff40216b377d8c3bc866a20914c17e00bef58a18228bebb8b33c8a64fcaaa34bee84064bb24a525b4c9ac2f26e384edb1ff

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm

Filesize
54KB

MD5
66b63e270cc9186f7186b316606f541f

SHA1
35468eeefc8d878f843bbf0bb0b4b1d43b843cdf

SHA256
00f8f3e4534146858326d6d2524f3360dfc9e5d149e207d61cabac17ad7a5f9f

SHA512
b9d1b4b201cabf087a44d958584ecb1c110807b9bd9865f1e76bf9d989d7d000ee84f07558bcae5e05d11f7121fe2c402fcf916b00ff5d8eac7eaf05e21a29f2

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif

Filesize
16KB

MD5
1a276cb116bdece96adf8e32c4af4fee

SHA1
6bc30738fcd0c04370436f4d3340d460d25b788f

SHA256
9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

SHA512
5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png

Filesize
2KB

MD5
afeed45df4d74d93c260a86e71e09102

SHA1
2cc520e3d23f6b371c288645649a482a5db7ccd9

SHA256
f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

SHA512
778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce319bd3ed3c89069337a6292042bbe0

SHA1
7e058bce90e1940293044abffe993adf67d8d888

SHA256
34070e3eea41c0e180cb5541de76cea15ef6f9e5c641e922d82a2d97bdce3aa3

SHA512
d42f7fc32a337ecd3a24bcbf6cd6155852646cae5fb499003356f713b791881fc2e46825c4ff61d09db2289f25c0992c10d6fadb560a9bea33284bd5acc449f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
12b71c4e45a845b5f29a54abb695e302

SHA1
8699ca2c717839c385f13fb26d111e57a9e61d6f

SHA256
c353020621fa6cea80eaa45215934d5f44f181ffa1a673cdb7880f20a4e898e0

SHA512
09f0d1a739102816c5a29106343d3b5bb54a31d67ddbfcfa21306b1a6d87eaa35a9a2f0358e56cc0f78be15eeb481a7cc2038ce54d552b9b791e7bee78145241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
320a0bbf1926c0d68e892a933f3ed523

SHA1
f1d655742a78caec2d2c1bca1ea8acf40ebb1ec2

SHA256
57b6b95267a1477ecf50778b2381e2d0670754bcb5aa13580b707617067c2a3e

SHA512
8bda4b1931bbc64e8919049153ea4dce59d17064af6b80d58622c188c32c2b0ffe440d0d5cffd12baf1e5411ab30eec2b000c58fd1345508cfc9956b6da7d6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
481B

MD5
49489411c71733a27c4308154c752d7c

SHA1
ff222d92143d456f8454780ce5e8ac73cd9d1d15

SHA256
0c89277b18e6303a949df139ea53b0233bd720e74469039e8a4711b8958b2ef9

SHA512
c118125e3a83bc22a298e74818b6a5ca957789485bfe1c2a438e8e26b9cf1e7549958ab79655a639a9753a32aa48b2195e06db10e5a3ab1e08c9e831366112f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0296661e48cf094e6d31427261da8d13

SHA1
8ec911291390e4d558d4f8c46f4a47a912d61986

SHA256
a868da379e87cbbd46bae5afb4dfbb19edba502c0529bc5fce01aec4907b6676

SHA512
d24cb9cbf81af1da70f5eeaf964345368e61f6ceff67e79499d1706c1a75c06e4df194d6f00afeaf9f1aebf7374d70efd8589dd107abd2349c8639775beb41ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f9c9fae751cef732a217941a80aa58b

SHA1
04a1ab216ee8b48fe2bd83bddada69537862964f

SHA256
d1fb4e2f955c454c9b821bd2439e0880743b06ca3a19aead9d2e5e49602693c9

SHA512
4e268202a052461b6cad675d138b1caf15a27a6a0c8218e6abd9ed9bbd2c8b3aaa77f5508697c126f7fb0458ff897bc0425312c03fd21bfb3215ec6f18d3c74d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2067375d8d25a4d3e094e17d8cefa3ce

SHA1
72eec69de96d9bf933a7dbca1e027df0a6b392e7

SHA256
ce8bd4da909616c76811c6a890f572c7f65e2dba1638bbc663a32569a7935438

SHA512
883cdf7cbf9ff721d26a69074b7d27c93765d16b362246fa20487495a2be126eebb07f84fecca08187b038b452c035a43c1f70d9d1676766ec15f62fa490053c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b00ff797f1a7db284fff62eda55e8b51

SHA1
8cf30853d498d484f484f78f0a40a31b1a86538e

SHA256
9609750f7412a793a99bdd04b0bccdfa20fc88a7d9a28718df819a7c97bfa7e0

SHA512
3c0ee468364c52f94bc5be0b2ef231835987adcbd080f2fb382a39f72d6baacb53d9181a31769b7fd9f88ef6358fc82b7a206b0a8780cd1b4643df0aff56491a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
11acfbe4a5c664d873d63f0c99128968

SHA1
6240f5b0f8f7f3f3b0ac5bb1a7d7f8570ab5c1ba

SHA256
61a98a7455e8ef045b1100641a8b884bdc5f6184d53404c8c49800e90762c8df

SHA512
1e386c89007cdf8925c19bee7365230feb8b357f91d8066ebb39901774c3fd498ef75e2c60ff52b4ffe2fc8aa63b3b8aa1d80b5253368dee8f23a39fb4e7d4b4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zs0352kg.default-release\cache2\doomed\18915

Filesize
22KB

MD5
d7048b092c63b1118f4c3df622ab114c

SHA1
7c5afc62b8b0af8914df35b4e42a1cd3ad387a10

SHA256
b291fa967e6bcd333657d5bd28125c93e0987e69fc7bc8b6fa4d312c2d87e733

SHA512
ea7857aa7f34ae69f3b8e02899e4dd6544bed94309198a3d27ea2938a4a52a3e4c3f4b75502a65f009515c160b3e7ed6f5e1aa2b9d248c97848e7a46c19a3e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zs0352kg.default-release\cache2\doomed\26728

Filesize
19KB

MD5
15ad16a149e2032c1be1d892d4546db3

SHA1
235cd8b1736a012623f23eb574d533fe3936f79d

SHA256
ffa2c15b675398af3997f0e5d19b9890d0dbaf7e09d2930278fb05a06ed5fc00

SHA512
6d1ec42e5f0b789121905d4136878ae117cc45a7b2d71ee73b01ce46834f046f6ca85c49cbfddd6e0531baf4579d5af8ecd9a18aacb0d6c5ceb1f3821f5c7ff5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zs0352kg.default-release\cache2\doomed\8902

Filesize
19KB

MD5
1b8a3d2d47bfcea71c5543ecd37a2f49

SHA1
4f764aa205383f3d3d85decd658a96cd09a82aa1

SHA256
53c9949c471303f1073e19b1b003d6269e54e63d3b994ef7b12d2081f5920166

SHA512
dc3770134015294ef97227511591bcf9668068d73fa2e9972be5ae917caadd432d076a228536daca3265a4fc999d379a540edc692cd285296d32971585966891

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUA6CF.tmp\appraiserxp.dll

Filesize
364KB

MD5
9ae24ddfebb001b9cf15004176e90d89

SHA1
5fbb398e25611bafc8a115d13d55a4d4b28b96c9

SHA256
82f490f1594fe9545af87a7d90f3905fbc0023a273d2df87780023218839313e

SHA512
d8a83752c270864e7be1123cae01eafa091f1faf0d274d953bb094f61f27b41f95ea47ef284759335ef84fbb2a522b63b0b2b154572775901279a50a9ef23805

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUA6CF.tmp\resources\ux\EULA\EULA_en-gb.htm

Filesize
89KB

MD5
31a548cd6e0569db0d8d5a766ea2c003

SHA1
eca3cba694915df5dddd95790eacc20dda1fdacf

SHA256
74a5b919aab524487a9a6b55a2de78d133e8e16c00367a82002d6c9a55d9d34a

SHA512
1cb8910b557550b5db5cc46ac325b0924cef6915e30b4daa33975f21d02d521cb0bf8c53723e03bc875928bfb5b30d8f6013d1c5887013fa6b3db084075d7561

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUA6CF.tmp\resources\ux\EULA\EULA_es-es.htm

Filesize
98KB

MD5
4bce0923de384170225f162240731eb9

SHA1
21cfe6b950885981d560002f04ad328fe3797b8e

SHA256
1bd1d819ef445a5b51929b03ce31ccdb697ba862ccbb603d5440fa89fc585238

SHA512
0f2e69e51b28507bf93523dcc8e715dfa3784913f729d242f0efad5e0ce1a3220d80ffe68f47c4de83ff71a0af29225e98ab0c83425ad52db6c41394a8802046

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUA6CF.tmp\resources\ux\EULA\EULA_fr-ca.htm

Filesize
102KB

MD5
93246f9e40f56dd432768a4b525ac39f

SHA1
9bdd2cc9209ac9520d8ac78f21fdb69b045c4cbe

SHA256
921b5d35eaa56c62640a4bf37d131fbe8c73deb2d189d01ccce4a451d90759d9

SHA512
14b66b268d84e5f90523cffb8a5608c05e928a4e791e61543efcb4897528e40c936c1b54288a93494e9e88c17f1b6343bcf99612bb44bfc5cfc2926d4037f4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUA6CF.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktop.css

Filesize
39KB

MD5
5ad8ceea06e280b9b42e1b8df4b8b407

SHA1
693ea7ac3f9fed186e0165e7667d2c41376c5d61

SHA256
03a724309e738786023766fde298d17b6ccfcc3d2dbbf5c41725cf93eb891feb

SHA512
1694fa3b9102771eef8a42b367d076c691b002de81eb4334ac6bd7befde747b168e7ed8f94f1c8f8877280f51c44adb69947fc1d899943d25b679a1be71dec84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
fba9817824b67cf4b811b19e447db397

SHA1
92b125e75fd28d0b62913629f189f87c391542f8

SHA256
41c45eb1d2b904202214098b5356cc8043f7a9580d3b6b53746a820f2b9ea887

SHA512
d71df69bbe6d628b1afc1b7f9e64b62a2044e2b93a903aef12fa697e9b122993cdbbb43c4710cde5450f9d3e0f09b10f3fb6a011239bc5633be844896b81bc96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\datareporting\glean\pending_pings\18867d22-b6d4-4027-85a6-287e7e64783a

Filesize
734B

MD5
c1c4a46678a1d4187b16e036b1aeae17

SHA1
00adf4691d6a9148d4119b2dd5f003c5aa791c06

SHA256
c1d4c2dbd7ee79b64f947c693abfd58ef2d3f1dc2dafa86d185b0761c531c78a

SHA512
5a6907bce70d5e879122da33ac49b5f6a0e7a639fd1668deb4e34cb10cd34b72e376a68fe1699e1ac7000c16a4ea532f4f0c60732f648e36506cb970648ae1da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\prefs-1.js

Filesize
6KB

MD5
e0468b217e265e3e0b01456a6f157121

SHA1
fb646f86a449dd243659670c3b885d97e7eef589

SHA256
78b2c21f178ba2e2f0f68e87a568aa81533312e6c46089422e632e4518a2d0ed

SHA512
941079dc92d5fd170ce4fa482dbf193a324b1aa9f91a8358ef35129c276d31efecedb4c0bc5b5dae25051ead433a56e5eec9d510d14c83a3e87a0d7ace21a12e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\prefs-1.js

Filesize
6KB

MD5
6b0c215bccdc637002527540ede2ebb6

SHA1
53c4eca166adb62b8d25482897061834287c4e75

SHA256
f4ee854dbc8c382ee487154a8536f2312dd349277da7d9797bfeefacc135104e

SHA512
80ffa7b9be609bf386edc9a545cd0fa1c3f52b22ba482f9b0fce048c7d808670f7dd01be4b0bcb7c1083ec91f5018b053bf708baff1886f2925ddec1bc82f5e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2166fe071dc4fe3f42d5a38197095caf

SHA1
79feb7dc3cf21790acbcfb5642b811d7ecdb965f

SHA256
0d4e21b62cd13ce7729824f73c92dfe151346c14acfed32253be9500d90f2ec4

SHA512
d1fc49efc3a3a0055bcec4e87c8950ad21b25d5bb12664512fa66c4b5205a8b95402f01565468ba7d41e0fe628916849301ccd1a0083a18ae385fcdf3d1c3fc4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
b4cf9d576e8855b3d686988f72216041

SHA1
aa65ec09048a98b88f553743aff3251c14078ec0

SHA256
a439f77a223e8422c9fe7685e3a82491d658e34b17770c8c175b2f8ae89a13c5

SHA512
e9bffa260bddfbcdfbd4ca11f0f912d7c950d12d3a68adfc4013359136e16a99395291ce225713046eaa43d4fefb5e64df0f2e8591c09f8c9f42aa8708fa35d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
5e4a210c23feaf5270e69131153b5b75

SHA1
dfec56b8287eee2f0a79caf62fb18f33683634b4

SHA256
7aaf470bb3efcb83a8df3fe6ca3d4839131ba00e01916bfe21ff11b464dd04fd

SHA512
f05cf53c63244e27c728990b55b72886df15aa77b0ed528c687df8b5bf3f0b06701695d368e2f865081c7c20e2a2c08ff02515ef3a690ecdc2ed827654450d1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
8eeb7560398f0262d8fd90d65a63d2f8

SHA1
409cfb624d534c9c23fd828f74959df4fb0bdb79

SHA256
f8cc50bfce5f2281b4d5af0e7b395146145fafd692b7bb6f45f888eec7e81c7c

SHA512
649af71edafa7ce54705fbb345afd66e6948c78fc80dffd083129d698442285e0c4202b81acdfc88c957e0adfe9ef0d72bb38e0ce59a32646ef95479f9c0f97c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\sessionstore.jsonlz4

Filesize
6KB

MD5
48aff896ef5af929f91dccff2818ebc5

SHA1
61e5e7c5f7253f3b78ba37dc5b2c74f950644659

SHA256
d268f646404317cb5ec3fb8de621dd75cf35c5ba93f2a3af936f7b7b1c679936

SHA512
9df27587d9d14fe34aab9e126f6def94dd774fff5e3c91300f3ed3b9699ddd4f15b9c8ecacdddd8cefc9974d7ddb0de86de3b65722b7fe4c5e97a802ab6c9e77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\storage\default\https+++www.youtube.com\cache\morgue\191\{8581ecc1-061d-4de9-996d-5204aa47b0bf}.final

Filesize
4KB

MD5
d8abefcc83918aaeb0082f1aab59f164

SHA1
380a4d1439d05c675cbeb91a4c41a6beddac234e

SHA256
50085f863e617a0412af30e7b7a4ebc552badb1f8ef8b6f9a7c4b87cfbb78445

SHA512
94d6b7fe452cf28af768c23eb6e2a95a4e17d7673739cd740e100b5de245559b69160b8b780996bcabeaf0f2e3aa42fddea0a608d3b0845445eddc7523a24b16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\storage\default\https+++www.youtube.com\cache\morgue\6\{2db49433-99c6-460a-b6b3-b7eb3ff41506}.final

Filesize
77KB

MD5
62044fba5159bf7ea2814be029d556ba

SHA1
65d7be37a476326e8a2f760da481c7edb690ad8d

SHA256
98c7ba9c9570b81c2d45f21b041331447bf7f24b66048adc92b98c5b215b3284

SHA512
03013e689f4114dacda766861744ca7df7a0d0513ca7ecfdbe3c08770dc80cbbe51dce59a98252c4269808f77edc8bef511cf15bbae79a08957fb446939f63af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal

Filesize
40KB

MD5
427d27a11de7fb07f4fedf69f175e54b

SHA1
a941ee84461abc716d2deb444fe182235e317e51

SHA256
4c230e2ad7907f87bdfaf2f153a9715224cc5445db9161e424f17485454adbc5

SHA512
f861bbcce88c1acfba745c2b68117636af8ef4a4e9d192f9da9a30ed93f1bd254c4d54838af6b4225ae9ce03e5f317a1e014dd35efbaf609391f7b778b60712d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zs0352kg.default-release\storage\default\https+++www.youtube.com\idb\603326329yCt7-%iCt7-%r1e5scp8o.sqlite

Filesize
48KB

MD5
efd54641e367d8038ed7f907f3249693

SHA1
fcbd718ad61477e07a78b03e1fdd8e4bd2b56688

SHA256
de0a809f66fcbf91d8db90d02afa62a07256bfebf02239a1358a91f8deb6f25c

SHA512
b7dbe31d9baa5e8f4abb41c048a177f077c82b9fb154008421727564d84f9b9c4d38f33286324244529ff120fbb34d2df8fdfea644b09be3232253d1f5266fc7

Download Submit