8336aa1bdea93cf05742d0a7713fa874c7461034251666f277c698bff4d810e9

Analysis

max time kernel
323s
max time network
343s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

text.txt
Size

546KB
MD5

c4d10d80c5769ce18771c547d4b2ede0
SHA1

adf4c61d3501c31f2d4ba0ae86cae70e65c7520c
SHA256

8336aa1bdea93cf05742d0a7713fa874c7461034251666f277c698bff4d810e9
SHA512

2dcd7a2c842043dc3ad4b7e77297084acae254804baefc7bc8350c1d152aec6085bebd00696d14fab9ea130ea641ce85339ee12963b911e178e0bf0ab9a3fa58
SSDEEP

6144:vnf9XhZ3uF3hyIWt93/zMx/RLrqhRj7vJ:vnlf3uFxlNehRj7vJ

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4916	lol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
60	discord.com
61	discord.com
62	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{E1238E43-5516-4F88-96DC-03E504E725E1}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 6846.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1364	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
320	msedge.exe
320	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
872	identity_helper.exe
872	identity_helper.exe
5620	msedge.exe
5620	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
3008	msedge.exe
3008	msedge.exe
4916	lol.exe
4916	lol.exe
4916	lol.exe
4916	lol.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4916	lol.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	5172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5172	AUDIODG.EXE
Token: SeBackupPrivilege	804	svchost.exe
Token: SeRestorePrivilege	804	svchost.exe
Token: SeSecurityPrivilege	804	svchost.exe
Token: SeTakeOwnershipPrivilege	804	svchost.exe
Token: 35	804	svchost.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4916	lol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 4856	3232	msedge.exe	98
PID 3232 wrote to memory of 4856	3232	msedge.exe	98
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 4164	3232	msedge.exe	99
PID 3232 wrote to memory of 320	3232	msedge.exe	100
PID 3232 wrote to memory of 320	3232	msedge.exe	100
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101
PID 3232 wrote to memory of 3376	3232	msedge.exe	101

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\text.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff36c146f8,0x7fff36c14708,0x7fff36c14718
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3980 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2020 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,18365730702582647333,17300486157639594403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x4c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Users\Admin\Downloads\lol.exe
"C:\Users\Admin\Downloads\lol.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con cols=85 lines=17
  2⤵
  PID:4220
- - C:\Windows\system32\mode.com
    mode con cols=85 lines=17
    3⤵
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3ccf5aed-e44f-4dc0-a345-d6c56ab8a20d.tmp

Filesize
12KB

MD5
f01b3463c2e0b202d52d4bec1cee7f45

SHA1
84278cdb0123847a58daef8238ba8d6e06ed1d3c

SHA256
5858aef173765dbc85a82b613728b8d4d6ba9dffe3185c2f7835f2e5b8622e17

SHA512
412adc52412d0c62c4fdd684ca2ec87cbbb3c2a8a2c2d5d9f245aaf77252eb9e4cf9ab35893ea71af97f448ee34e106127177d1f197a8e7e136765265516a94d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

Filesize
124KB

MD5
af54190b2ab294db29711ca413b7f02c

SHA1
c76379bf73f86a1dc0841582306a2d3ad579d2a8

SHA256
80b1a700acdd7b20d264c5b2d572446a6e536dc658d14aa393b0dcbc356fce44

SHA512
d429372ca642680ef2e610728e195e9987942b2b4b4739d4c6f577458da26c6c109555d1ffaed16f1d7094622b7b029fa539f93d25b6d43fcc0d67124c2a87b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000056

Filesize
1024KB

MD5
481ebaa7919863593cd2975cc5f04092

SHA1
1de9f83aa906a564579780f776eae1193d916b53

SHA256
ec6709bfd31e32efb2cdfac79b3a7a001681ca33df178f6d9e99111e5322f7f0

SHA512
5e6ef375687e59d74cc310ed94a5c9c8543fc8a5204f6a761d5fe3e6d188278bd24777352acba7805ab886783d8c1a57a8a256657fe95e1d61fb79e447ba9fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000058

Filesize
396KB

MD5
5f32650303661f043a734caa99ae98c9

SHA1
b292e9a5ad3882ad5b5ad4023ed9d6d64af7ecf2

SHA256
e9440a29268531a0c6c49939a96fbfa92c0e86b01ce320390bca4bc7ced3eb5f

SHA512
9dd2c2d2ff7254e6afc0bca42df06c1d6d5110e6c6c1608091afab17157abd99e4ba5e6440e66acdc7431e1b3726ad627c5381994ea420527be20be918657c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
08932b5b1f776049a4fa0fa8ec539207

SHA1
1cd452af24d4faebc04b7d99d4321d90ebe659c5

SHA256
662b279edb89e6a91d27bee091f39eb308cc9bc52e173b7aacb39ced24ec9600

SHA512
ac840a5c197142b9d764c02240dbacb9187c1ba36c27ce418af7246d86f96c92a1931e206e00e8b68ba669a2818b86af47676709a47bafe4dd27c68f0452022c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f645bda489db3dfb1ec6a249c902e3fd

SHA1
b3f1bd811962bfc727916dfce49060ad085d64a4

SHA256
f68d6863ef771b2aec515423bba4a36b72203f4c0fa31ac42da138a54229ecd1

SHA512
5ffefe754ffbf8f62904471fc5f331b08118eec69410cf1281b3ceac26fb0327eeeb0d32c81a310c60ae7c1c56fb2b4adcb38153d8c523586fce78493121e6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
f58a282ac3a334f73dd81d04c1bae5bf

SHA1
2c83d89fddefdbde91ba0b78b0190aba3f96c1ef

SHA256
fc642b3d3c88a63e4a549a277d4e2d76c64325ac3591b4bec92649354de3885a

SHA512
cca018fedb0d86842b6af8a1518322f49baf6ca43b0c63978e055ae2b7dfeb24df3b3842efb501e26226b0fd7e174f7263ecf37483a7160637fff0a27d990844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
399c6855a3583e4382d41e52dd1fb215

SHA1
42e31c301b556112d8993f9c5e2b8fa4a3a2f641

SHA256
5d2bdab855a0cc657100c84ab45139029f127530cb6b77fac73e55e9e014e2ed

SHA512
8d5af1b6c21b92c395017d2e063a2d78328744e5c4e9abbdf81dd0c370f46064efc049b622bb1a5fdc2787827d433cc478765b5ca1b2cde3bdf6f4338f1a8831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d9b19feb7db72c249f255fa34bc09cd9

SHA1
ee3476f9f22ad72fbffd4657ef77f7fecb6421f2

SHA256
1566a9c4ab4e8adb2b62c308a7f1c0cf201af1d1665f9b60128a732f38f85487

SHA512
3a2d75bffb815eaab1b0e96f78e0eb3a711a2c780896e39bdb151919fb80c2e4b935442e6766fd63508321264ba7b0c007bab95b1804b7c6498c318e94531f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e24fa8b3769986797da944d62785a725

SHA1
b62e73abc83ef458159f61714380b0ed8a254939

SHA256
386005ac2ea44ce1b33ad1c195d281eeb0099f2297c8da304c13d30b7b6564a2

SHA512
fef901cd180bc87d64beb79751ddbc6f8fc0447fb0ae9cb5d5e72e68d1bf8dbed1d8f64e430d3b23e8388c34b85bc9d703332fbe67c2f565ad098477179ff33a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
79e0bdabb65e3fa0ffad169abec003a2

SHA1
a950f132f2f0279bd1c9358603b6cf3c047aaeb8

SHA256
917ebddaa1a4302aeaf2ee37e7cef98cafc93b5c9fa34a9189e0bd9a90985574

SHA512
8d3b123c29db359b1bbd0d0e6797a4b95a0dbd5b7da0b49b61702cab5b9d8d612ac85110ce48df462f1abcf52fa68bb445d5b28075854989b7c208676925b3c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0723a9b731f532d74794377378042b44

SHA1
bae24e47692fcee0df849535fb7c46b0fdaa4fa3

SHA256
8d740f7e07feee5057db5505de902864c6e2225ebfc3cca3aee954f1d4f29283

SHA512
8b062e986b9fe9c03bec3a66620b3cc304136aa72ae7292565877a9c7768a5af007f7bb765b842e22ca661ba2db3b3483e42ba528a1c39bfbb81b7fb7def7ab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ef524222d35337b9a7cebbdabc4a1557

SHA1
d69a9dc465d86dfd8c17da886667104dd46dcd2d

SHA256
af112677bb2372109f919a4c6883c6a50696977c7ce2fbdb179268bd32b9c768

SHA512
c3095b868dd4065b74e3e965809db628dd49d5b064357e4382b48bc6bf1559c8d347d0fc71178fbb73d2c2431608017bdf1fb62224133585a88b54846b5f6b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2f1e2e3d1ebfedcf7a73f40dfe2b0247

SHA1
d67135db4ec47bf97df69cf74e4e24d4a6de55ad

SHA256
8886b3b302bd0b444e01d3ccf379426d19af70aa3f422394064867cf57721ab8

SHA512
5201b24cf22caccb275a59dd4c4bf4f510e38df29895bb475d40304882e05c9e2e1e2ebcd7b962c17af8016b67adfd70d8c2832028f044b8a9e990a72d27e80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c1ebabddb52feeb28b10f9cf2043618f

SHA1
df6d006718f041fc9799ccf2e00d125f0a4c0b3f

SHA256
63bcd649dc14082382013e7d5632f928fb53723ae3aac4804cea1655271af6ad

SHA512
198aaddb12491485ba24a2e48f478ae2b00e138e36bae6c6013cb2214d7a4746b37c0ab0e20647e4ac20743bdcb64ce458e776741d70684023c1bdcc03503df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d0349c267485db878fb865995f7f7086

SHA1
70b56ecb039f0b55b5db853536a6c9d019236d11

SHA256
5247cb9f4075388e9a72bbbd89bea1fa8bce7bebc953b40d73c099c07e90db2d

SHA512
91c9a02a7ce2a762795bf334b98afcadada6554f772610c064f4076a3cfbe68a699704d528c61587f4ab56d251b17b98e0de57756c1454723e15c2c494de734f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
18409098fd87bf7215388e68ab9fdb72

SHA1
7e4901a9aa5cfcb425954881b1f2605c744eaf52

SHA256
12fd19fde8c98aa4fc21c5f1b1530c98777e1c613e24b6059f00b364d8103ee7

SHA512
49f99424c3ef7f4adee0ebac7fe2612cc1f1e858ba03224bf3efd66486a2f45bfc5b56a42c9a443371a36b038543d203ebc40d0631a2d0c292057286ae4341b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
94744b269f99ca78527c50c7e9d48215

SHA1
5c7acc0ea3ffe44027062c6c61fac29e3194f769

SHA256
7eba249aaaaedc39a02a40c866d76703abd7018b61a5aa3dedcf63e4bbc976aa

SHA512
fa909a08f14998938bc38502f95df1d7f4f0d65b8794ae3ffe319de804a13f88e118078b73339382c0e534bcbb7904d3c5f87a10ef59d909967ed8c24123a050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
895c946361cbe9b1ef2768e6ff0163e9

SHA1
b1947e0e0a0d81707a6287dcf63b2bcce485d45a

SHA256
93a8bd8fdad11bd0122b7cb17d941ccf1dcfbd8505087fa4cb897d56eed1dc5d

SHA512
d3c058d90a16a16147f32a5b5341075535a9a63a6fcd581749f7f898047fd8d3233592d5de2bfabff505153b26d0be67314e7657e12735248128ed3fc67422c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a69201bd7ba79ef78878a4a15ef57c79

SHA1
fc20d83ae8009d727186b6559df6ed9bb653d683

SHA256
e463920f6da8abac9c1c97206a6a117c39e8326b415e9497337cd484527dbe00

SHA512
584038469df8c6c2ccc2b36a4acab8d42df455fb1143575165d9ca7868a5a9de4e6b335b22017446953d46a3da74faf3a071e8ed96e9a98e2210981b77b3036f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fcb2a86ed0e21fce7ca10d33ff5ad440

SHA1
9054f7fd5c191710ace1ded27e8a51aad7efc328

SHA256
264d6648f8a65aaea10bdfeef548400e8efe562a3a3e190068249d567c47de38

SHA512
5b840eed105a9831d67a514b4e51df68cfe494054afc33b7c26d7d303b01ea7af9468ff09e3c1abdd021844d6b4c186f7fb6d9d644e25a899cff00342a86ed7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a5313e1e7a8b21354e9c9bf3b438ef2a

SHA1
d9c89fcedc29a5bca39897beda246f6123b42905

SHA256
b72655297c5fb4df11642e0e3c90c4746ee6d798bd39e7c802953f805ab8917e

SHA512
35866419eb6ed068aff5ccd5c6c15159d8fcb199ee36a23762fe231c470f175515ad72a552f659ba5aa650bbcf26fe85cd732cd2fcdadf0aee90a167ec28607a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dc862ebed46117b1b7cebc2537e57a93

SHA1
10dce608747b269b8186f825c155ebb9b340b593

SHA256
0d303fa7b7eb1cb585422fe8dc7b518e0957b371b4ecbb7b154d2b7cd32427fe

SHA512
dc4326c9de0cdb22c57f4447dfbedd72dd9d69d0de4b711dcb87b416ddcb2933a86f536ffb9677f195d692f0b8a8cd9a8f71aeb5a80dc94d20df88b0386a492b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
97a8494baa5e3af0dd35fd04ab0f3933

SHA1
62ddffc2735221d65b51ff9a43fc5dea85471e96

SHA256
f1e434e75efdb9c986e8b06d71df6f95d735202c877a45cdd18315946bac0fcc

SHA512
019fe8365cc90d873dd1a0b9ff60f7071c9ede4c6d257ef1eaae8e21d77ae33be2a949a183128bde58df8cee21d5a6fa2d91ab6c4c17058e6d408c85a9d9fb14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
39129d9c6e47a1b857121e4e600f31b3

SHA1
a40b7233a575bab90a4a9be77b68549a6ee262d7

SHA256
2be4dc14cf6fb9b37f67c4a36da3f0350c1bc51732729688bcdb23c58257a85b

SHA512
32257f051eebef39fde484d42b747e62d23487365c04ac05d4b3b392d8de52061452660438a6de8d8393292b0fd1418c994c7ec552747fa35027a750c7c329d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1d971e5fd8363de0bb8cac9b24228b0a

SHA1
439adaa524baf766c56defc8916c8177155b374b

SHA256
bdbfa675c142966dfc06db2ce6b7436fdbfa018373f639758d16e117e3ade729

SHA512
d7b05d159cfd653e32859f07f49a178b8df4baad1882d0c5e03097248a983682791164fde85f308dfb33061d599161f55039aa90434d7eb6a7bc1c6d86bec5e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580bc3.TMP

Filesize
1KB

MD5
1af61d5f0d6c181be6f1cb15ab91c0fc

SHA1
4e99910ff7ac97ada0b4d1f15589e6e75f57cf83

SHA256
a2827dd1be8663a82348804e898be2b614232d15b4fd1a86f4759f01c05116d3

SHA512
d8705690b44417035d9d200bc020a8df7160688323eba3d4968509520bb1c698263e6ae3f54bc889c45908ad7d85f669780f6ade1d59820c6b05cc3c3419f081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c1374d325f14821da4d17915c0c22d77

SHA1
56f78dda5409a050492eda35571d50a491281afc

SHA256
25202a906a47dbc6b6ef68a7d1c41ffe8aea18546fbd0a69a465659245c39e99

SHA512
ec768dabc45957084c8904c612e9db11874f0ccf51b7a5829817e15ca2a71b23cec9c3290b91055ba5f81b083946f051804a768a1da2c91789ec324b0e2b9377

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 6846.crdownload

Filesize
3.4MB

MD5
10d740b8bd1bf5b555eb76670d30af63

SHA1
79dcf88ec9f7b2904889f5f18be9efe62f0cd6ce

SHA256
8410128115fe694825a5a7ca85efc642259ec17dea39ee1b58eb8818ee58c39e

SHA512
e69296e02893cae68e5a2221f9e7a4b0f968e38c0f46cfda17fd88682acdaf0e258b014bf534cf40f316e53fb3a5888d2fe2db3f3af9f4e0bc0fb1e752527775

Download Submit