695cd368713e92a60a3a1d78055081ff74655c19a704a9303f79d4f66d41b38e

Resubmissions

05/04/2024, 03:26

240405-dzpm2sah9z 8

05/04/2024, 03:26

05/04/2024, 03:25

05/04/2024, 03:21

05/04/2024, 03:19

05/04/2024, 03:16

Analysis

max time kernel
148s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05/04/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eg-en.html
Size

1.3MB
MD5

ef3e67e8c87982ae2424baa272fd7fd1
SHA1

f002b425b5eee94f0a4e17ff25d31576fa478df6
SHA256

695cd368713e92a60a3a1d78055081ff74655c19a704a9303f79d4f66d41b38e
SHA512

ed6a1a726ee9827abb9b399f5376dc24ab989c23493a77c58d89ef6dd2210f63efab9bec1f2bca08cfb70abb7b4b53dd63cf32f4b154af5e254aa372b33761fb
SSDEEP

12288:PfG6L+qHfKZdUkbNPdNiojl49QtAhwFh66njWLp/53:DLPHfchFh66jM53

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2360	chrome.exe
2360	chrome.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
632	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeCreatePagefilePrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	4468	svchost.exe
Token: SeCreatePagefilePrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeLoadDriverPrivilege	4468	svchost.exe
Token: SeDebugPrivilege	200	firefox.exe
Token: SeDebugPrivilege	200	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe
200	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4136	2360	chrome.exe	73
PID 2360 wrote to memory of 4136	2360	chrome.exe	73
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4464	2360	chrome.exe	75
PID 2360 wrote to memory of 4244	2360	chrome.exe	76
PID 2360 wrote to memory of 4244	2360	chrome.exe	76
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77
PID 2360 wrote to memory of 2940	2360	chrome.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\eg-en.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffae8329758,0x7ffae8329768,0x7ffae8329778
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:2
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3852 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4688 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4852 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:8
  2⤵
  PID:200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1824,i,19278200484413236,5951179114147073907,131072 /prefetch:8
  2⤵
  PID:712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5000

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:3232

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:2824

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4396

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4468

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3260

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4392
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.0.2015824321\79023920" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7dc54ed-9b02-42e4-9aeb-b9d1baac1d30} 200 "\\.\pipe\gecko-crash-server-pipe.200" 1796 192bf1d5158 gpu
    3⤵
    PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.1.612549069\332506043" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a34150f-3689-483a-a9ef-b055fb3606c8} 200 "\\.\pipe\gecko-crash-server-pipe.200" 2152 192b4171f58 socket
    3⤵
    PID:196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.2.867147270\111197024" -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 2848 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ce5e58-6502-473d-b1b4-e1fe1bd8abee} 200 "\\.\pipe\gecko-crash-server-pipe.200" 2684 192c34cbd58 tab
    3⤵
    PID:5084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.3.761678222\748936555" -childID 2 -isForBrowser -prefsHandle 3176 -prefMapHandle 3196 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68ee4a78-71c8-44eb-9090-bf630b0e7c2b} 200 "\\.\pipe\gecko-crash-server-pipe.200" 3448 192b4162858 tab
    3⤵
    PID:3260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.4.1737372245\1402649209" -childID 3 -isForBrowser -prefsHandle 3920 -prefMapHandle 3916 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3a88c61-ae33-4b98-95e1-3e05a6360c30} 200 "\\.\pipe\gecko-crash-server-pipe.200" 3932 192c48a5258 tab
    3⤵
    PID:1232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.5.412447256\1514750421" -childID 4 -isForBrowser -prefsHandle 4804 -prefMapHandle 4808 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7e2a362-76e4-4ec2-83cf-196d5ea33065} 200 "\\.\pipe\gecko-crash-server-pipe.200" 4816 192c5640258 tab
    3⤵
    PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.6.1272515887\499400792" -childID 5 -isForBrowser -prefsHandle 4948 -prefMapHandle 4952 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {202ce53e-7517-42cd-991f-cfe697619557} 200 "\\.\pipe\gecko-crash-server-pipe.200" 4940 192c5640b58 tab
    3⤵
    PID:3820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.7.712208265\1357966439" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e06068e1-6758-408b-a1f0-57aa70eb8515} 200 "\\.\pipe\gecko-crash-server-pipe.200" 5140 192c5641a58 tab
    3⤵
    PID:1816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.8.1659837814\1086879903" -childID 7 -isForBrowser -prefsHandle 5360 -prefMapHandle 5488 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af0bf210-10f5-4491-980a-28471f3c07ac} 200 "\\.\pipe\gecko-crash-server-pipe.200" 5496 192bf0fc558 tab
    3⤵
    PID:5476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.9.138141457\281609031" -childID 8 -isForBrowser -prefsHandle 5696 -prefMapHandle 5428 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e641c4d4-1235-4b35-b588-c88aabe024b4} 200 "\\.\pipe\gecko-crash-server-pipe.200" 5496 192c197ea58 tab
    3⤵
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.10.1927457635\253036771" -childID 9 -isForBrowser -prefsHandle 4176 -prefMapHandle 5152 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cdfe685-f6eb-4d46-9282-fe89f398cfa7} 200 "\\.\pipe\gecko-crash-server-pipe.200" 2632 192c6b21058 tab
    3⤵
    PID:6128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.11.566070779\766379835" -childID 10 -isForBrowser -prefsHandle 3488 -prefMapHandle 5252 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {066f39f9-d9b0-4e75-a753-14fa30165c9a} 200 "\\.\pipe\gecko-crash-server-pipe.200" 5072 192c800f558 tab
    3⤵
    PID:5388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.12.1020799588\1122980328" -childID 11 -isForBrowser -prefsHandle 4944 -prefMapHandle 2888 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72c26304-9da5-4479-9cf5-ba2948096257} 200 "\\.\pipe\gecko-crash-server-pipe.200" 5452 192c8010158 tab
    3⤵
    PID:5404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.13.143390251\421785978" -childID 12 -isForBrowser -prefsHandle 5868 -prefMapHandle 6016 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f29e8c57-11fc-47b6-8af0-c670e6d5b8c9} 200 "\\.\pipe\gecko-crash-server-pipe.200" 4600 192c81afe58 tab
    3⤵
    PID:6008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.14.1297323784\1939177145" -childID 13 -isForBrowser -prefsHandle 5012 -prefMapHandle 4960 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {974c6cb4-ea4b-4531-853b-a93a4ffa0161} 200 "\\.\pipe\gecko-crash-server-pipe.200" 5064 192b416b558 tab
    3⤵
    PID:5620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.15.993912055\1935343507" -childID 14 -isForBrowser -prefsHandle 4876 -prefMapHandle 6048 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f277d88-9714-4dda-b074-3bea82949dbf} 200 "\\.\pipe\gecko-crash-server-pipe.200" 4912 192c1a15258 tab
    3⤵
    PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.16.1599374948\1584622972" -childID 15 -isForBrowser -prefsHandle 5860 -prefMapHandle 5136 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec7031de-6b07-43e3-803d-ef1ee6c107da} 200 "\\.\pipe\gecko-crash-server-pipe.200" 6304 192b416b558 tab
    3⤵
    PID:5852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="200.17.397410178\1681936830" -childID 16 -isForBrowser -prefsHandle 5300 -prefMapHandle 6152 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11942b0e-850e-4dc0-9233-23e0a5e51103} 200 "\\.\pipe\gecko-crash-server-pipe.200" 5396 192c1a16d58 tab
    3⤵
    PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
259KB

MD5
3e55c56205a89c859fed005ae1729faa

SHA1
b33bba44ef2d6932707d0eef8e00b0ed534fcbb7

SHA256
3eec290a7f7da9abb00b49ca84f5f16e6d45ca33d40fd8ede4380835d6161d71

SHA512
08857f23cb9c37e55fafa55d5f2b74ef7894bb54138f6c0db243ec14310e5a47508375da83eb8d6bcbe471abe24fd71ff24040139ec85c0eb6406d3b45341aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
263KB

MD5
3cb12db7c672b33735006480a455ec72

SHA1
d060e5996b3f7143755496cf2a06de5a59c283ce

SHA256
4c7a552d219146985961bf78d9083b7e2c1a82c4ada5d959f48b3e53754c9049

SHA512
808598eed329f0bf3ae2800eb9d7346a16e23fb4ee0a4e80f61f7f6d41fff09b76cb33e4d21d5dd6768d010d361ae63760814e4076926093afa8edb21bc52326

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
447d3301b9820273815545b257e39124

SHA1
5c886d56f25f7cf9fdec24dfaf236382cabf5b4c

SHA256
f3141877fb438df0541747e5d3b5f6cae2d9819b1e73619117b26542d7357d18

SHA512
d92e9a1e8688beed6a1ee0eb18009c61c8537a36d504da48a04e7f07b20381017f7ddc1782547329317fcb7c405ce2f269a5cefff0d34556d442323c816a3c78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
48bd8cd72f35d7da42ba46446fbc800e

SHA1
087c5928d687ba59f81e913151d37771de6e5935

SHA256
1c9c054af08a713b7eb4198c31ac82d0b1523dbd7a97981bfd3e78d2cf3d665d

SHA512
621f14cbcaff6d2c6b4f0aa266cb6900aefbab52ebeadc2f5d8b4348522494d3d92dca4ef0bf85e51effa096530d44e1d6bdfca67acc1c43a09413f4bc195480

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ee6b00b1c12866bffb866c81be544eb6

SHA1
8dc1680eae5c85de863f71b47d23af22099d85bb

SHA256
be3ea9c5a3d013e981d0b2ea17ac6b6be14998fa36b378e884b9ccb4c3b5145f

SHA512
5ed15e4983cb9b723ece2c201a0f547344be311e746ca6aff9e24ec2bef9daaa4fa50bcfb92c439612721c5be3a573c164c3bdb117aef868ea5cefc65c9e3a42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
efd5f52429b06b962e608d267648fc47

SHA1
dae51a311d5e4412b86515a380babf17f38009d8

SHA256
5f1decdd019dbd6a32354ebd33d6dbcc409d15b4431788078f405e05a72f1874

SHA512
d25ee7ca6fcbf9f715b17b6e9173a860dc659c81e956309ab29749e50a285a7d9bfaeeaf5c2af20d76ba766c56030fbc36705b445935e888da4cce1d95f2aecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3fde4abebfd5a7e959189fadb4aaca40

SHA1
02f2225fa5c390ab188fa28e95190be0b6b707f1

SHA256
c9ea4300453087f1baaa58cc311600e3fbf2972dc841c5079a715d7a2ffdd8fe

SHA512
8db2c0175533942c8e7e21eb8721b0c8efef63d2e60eb008f514313da68742937b8333d0e35505367e85259339f6eb7e3138756cfb38f0f39cf0d4522037eb1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
1bc005419b06b9c8a1f3430560763557

SHA1
0b59c1a5d01d223302ba7ff903d3a401ebd57c3b

SHA256
73038a0400341590d52ffcd5f03792533c61bead8a7fe8dd6aa5e7328bb2e2be

SHA512
9afccdd0d26defcf5af487025409cb743b5ca9dd427c974bb1014078d55110a538c4e94e555c91df6f46bd9fe8b4249ef1fb8b95451ccf87f37313a2080c91ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
6afe9353e89044aad59532d6ed26dfae

SHA1
19a035bbd4f920320ca22c21252a35db95006d1e

SHA256
9fb011e4c92463a455cd2a5d62e3262e3f259930c4a0a087ba59301bd1e41196

SHA512
a337267d6d7d6c33d04f1ebd8d037e61b00c6c4196059b8a0b8d47d9dec138f096e983be3aced5be79a88266f7772a1ccff24c66db5e877acb0f575c2a193a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
fbca37f8639ccc84e4948c70acf43e24

SHA1
f83f10979cda19eefb73a5226fdf44bdec49f73e

SHA256
c667545d8c378a7015715acdf82e4774c466567ce55cd9fa77ed9857d0c33774

SHA512
62fcf1a4ed4468b290aae16541b8b3cc03923a7a69b9ad226501d505cc49f1f9796a299d6f6236d7eb7c2c2b6fe5b6a277f415eb5460ae78275316d51dc0b459

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\15973

Filesize
11KB

MD5
b095f997bbd171c66eddbc8d6d6be138

SHA1
1d339bcbdf41abc0e81c2d0eb5cfc67a730d20a6

SHA256
3b2262da23dd2420211c7d4754f9f3576d0ec5ddbdfcd726910a021c9dce5d9a

SHA512
f1433d78135b7b6e28bb7387ba7f42382da1c56aa227e1617d50e49849901f0a400226426dd78d5c95a7005fac0a7d0b7afbda609c9aa63b84cc832211742eb1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\242

Filesize
22KB

MD5
5662567d22ce4121daeb60f8a65973f0

SHA1
ec9e3c7ec4a2651ebbdfebf77e39a5fef2d0e7db

SHA256
bbe543cee5070cece29f2b949d86c2bf32f71f12e4a561d0a587e187265a98d6

SHA512
95b1f390801e6f8aef5337688d27a9a6bda9a79025b5a7bdcb84f42fb567c3f5c9d4a3439bcdbd260f72015e1c6a77a68c72212177bf27e2207e6000201a4e07

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\631F2480F226B803A7EBF8CBF5998ED60F23C73A

Filesize
211KB

MD5
830d771117e2197b2ad70642f5b4c1f9

SHA1
d2041eba7adeb13424f5b6f966290573e95def64

SHA256
36b91a5032b829f5fc0fc3801c2a25610c7720b78f13520f99f0345bcc5c567a

SHA512
cd1379997b59489c1f5125b5c18becbe273fb739fec68be0e83235ea947cb2558d1a419342ea5835e44ad3d95c1a568d3b33336df3f95f0714b0fb9e3b40a768

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
510a36b71430105e1351fb2e83b667e5

SHA1
edaee2500cbddc957f4fe1acfb94d00b9829f85a

SHA256
abe5c37f88f36277b5a1712b0f7da88a1a836e85f761f13caf63c12034cef1ff

SHA512
e93b40c5ea0b2395f957072dd0aaeeeb70b4be3e1ba23eaedc86139eda7e00beb1b3a378a5d9b5c327f42818dd73c4c7549eea6fd98a51b7bfd3839ff8efd000

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\9f063eaa-9484-4ec8-8230-538443fa6780

Filesize
734B

MD5
d8b1ad66495a92fdf6ede04035831890

SHA1
a9df7d3e8ca7fb320e9718ca292a64e3720ca654

SHA256
4682431af2ee49b0d5c9d2df38b223cc8216b57d5f090a22d9d2fe10be3fb6c8

SHA512
65f2f5e0e5adbea353442ea433373ce109b9a60a749682da4568cac9126867abb20d8ba76b68b88a4822d251388bb5b1cead6b286994d993e3726d1e00fb70c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
83b2b859744ae24b4a902fbab08d79b8

SHA1
168d97c08b9f29a6bf55af231515fdc25f7221e5

SHA256
24d91b182bd0f5136a14abb0a61a10616b430c4f6b9a9b06ce1dc7392daeb609

SHA512
298439eec2d2ed67d213bea8606a0d853b48cec224d22ffe8efc844c71b4434c140176d9e397a3d434e81d20783f219cdbf7eafb2e7164a07bdc3ef7a1c785ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js

Filesize
6KB

MD5
60ec6a1b796f288c50e4ca8b654bcb97

SHA1
42fb0e538bfde1ea7cdcbda3c74c6eeef3dc6fe6

SHA256
ddac02a425856394aa88e2e8361887d7aef6c7aae4bcb7328df33be6ebda52c3

SHA512
ecca1ecfe796e009064e6a555c1713ebb4b49b52f41bc27b08b0375ba9ef39b95a896a88c17d2a4a56bd29e8b85e13764abfa52a05e93c48dd064f70dce73424

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js

Filesize
6KB

MD5
2716f7379045722225fcd4f6c43b2638

SHA1
c2ebb533f6a6c47d0790fd25fed13ace861c8112

SHA256
1fa0fe59e20fe5a1d190e6033397f8c1ec28ff759b4aa442e2801e6bc656417c

SHA512
c4f3bb228430aa6d1f35b9c7c52ce774e83048fdad477a7a7c848d6131e34fcd655b059658ed903a47fe43ecf850941287ee3c24edb5224191fcfd4ed7617f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
982B

MD5
6edb059ab96aabcee081a64df903cded

SHA1
a754285b9272ad43bc9758f1dfc3b4c7d195a284

SHA256
76e857abcf0426af16087a5994addbcb2adc73a7cad306a37af7e5209b656296

SHA512
3ffbb1d6a2ece8d5b26f51bd19908ec1410cf77291cc6bbe401b29f5a96b9eb537b5dc31c808565750f43627e214dd4708fc36c4ccf74431c32ad1f77e1c56d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
a2a5d7129f1b5d00de2e8d0c8ee6e472

SHA1
2786668a17689dfed67013371ad185d4c5e4ea8c

SHA256
fd10d5b3818ee8c35531baeefbdbcafaf194e64d258d5569e90425a3856d35f6

SHA512
121ebf7f32ebdd0380fcb5fb7fb83978d6d3d3c4c22948ca572bc3a7c4882e04836b49327adb6edd940a4b116dd87e8d076d1ca4cfaad51b0c498e15bdf02bb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
ff41bac43710b0458f4f75751489bc14

SHA1
1d523d0e463ba38fb7f2f1d4ecc3b6fe56ba2f69

SHA256
70c358c45c8f2a29bce906800bd3c8f6ef2c9cbcc21c0d6706b92a5d227a147d

SHA512
f64d78b86870b4eb37917e8625bb1b41b8f4b553fbff57325fc7967492c6336cda0d7367448599c33baa83046fec6856357fd2cdf2a0157b1eda379421a54f5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
ec50fb5b72af03fd09432493676d504a

SHA1
2572562720919fdcd17ddb68120ed7ae2b63b8e9

SHA256
b436d316027014b06a4385d39d7baacb0aca802d8ecdbfa9e8ff38aa62dc6f2a

SHA512
e816f6befb3a1b8bc747e930337a3e745088befc97f9cc223d5c1615f3dfe06d67c6f0e4fc3e63f7eedfc592066ee84539e7b605e6a7c4d27f344db6cc6538ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
cc887ad15ab30c6899157bc4702bb758

SHA1
d3c58e6d04ae794c0edc8c9c616f7408e3f622fc

SHA256
7768671fae256f197576b7972f9fcfe6462a5b13d15fc9fcb30bc02dcb4cc70a

SHA512
c7fff3ba7e6c9ae62396ac7567add320d6ff4b25b7a7132a7171169df9bd0ca985aeb914c483bef886104e5874c852a5c5276f3c700343b797f63c473c579913

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++www.wifi4games.com\idb\556220133rrae_su.sqlite

Filesize
48KB

MD5
a0c94c7484c85c17c2d8503a5b27577e

SHA1
e33600c3e034842e62015fcef1c317fa84825514

SHA256
af1471769441b0708e4b6e0132b7d98e960a88ec1618b2448156b56e3be1577f

SHA512
aa82094d828a1b6a4a3af04146f7db42a06d2c29ea024136f2bb4b7ad996fbd7cd67e86592e4f946f94b2c5b05159f692d6d993f7f36d1bcc03cc6e6bb6f44d6

Download Submit
C:\Users\Admin\Downloads\Supermarket.SiGECPju.Simulator[wifi4games.com].rar.part

Filesize
36KB

MD5
3a54646ca7f46b456f2c722f316ac7a2

SHA1
c5434d11bf1901a3b4c5b0bff37756fa6286dbde

SHA256
d95e743a9952a7e1b53dd4ab04f73aab4610016d511f9569d253a3be88a61433

SHA512
2d614bde744da78420f01534d9a7a937c4b55f1c650d2d9d8b7cd556a4bed3f9a813445c0efe21df9ec3000540594061515239be5a81c09b8031575ecb3e01da

Download Submit
C:\Windows\INF\netrasa.PNF

Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
C:\Windows\INF\netsstpa.PNF

Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit