hxxps://drive[.]google[.]com/drive/mobile/folders/1Z_lfZASvIwFbdsqVw6AiV7Sh8hO46wGu/1hs0dHZF3IQwmVT_tN44SstJXr1e9TiFA?usp=drive_link&sort=13&direction=a

Analysis

max time kernel
84s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/mobile/folders/1Z_lfZASvIwFbdsqVw6AiV7Sh8hO46wGu/1hs0dHZF3IQwmVT_tN44SstJXr1e9TiFA?usp=drive_link&sort=13&direction=a

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	drive.google.com
14	drive.google.com
15	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795331719907242"	chrome.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\fbx_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.fbx\ = "fbx_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\.fbx	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\fbx_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\fbx_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\fbx_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\fbx_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2516	OpenWith.exe
5060	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2516	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
5060	OpenWith.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 4260	4132	chrome.exe	84
PID 4132 wrote to memory of 4260	4132	chrome.exe	84
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 5068	4132	chrome.exe	85
PID 4132 wrote to memory of 1016	4132	chrome.exe	86
PID 4132 wrote to memory of 1016	4132	chrome.exe	86
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87
PID 4132 wrote to memory of 2964	4132	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/drive/mobile/folders/1Z_lfZASvIwFbdsqVw6AiV7Sh8hO46wGu/1hs0dHZF3IQwmVT_tN44SstJXr1e9TiFA?usp=drive_link&sort=13&direction=a
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd8dfdcc40,0x7ffd8dfdcc4c,0x7ffd8dfdcc58
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2044,i,14396490259756148585,11639350852248135836,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,14396490259756148585,11639350852248135836,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,14396490259756148585,11639350852248135836,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,14396490259756148585,11639350852248135836,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,14396490259756148585,11639350852248135836,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,14396490259756148585,11639350852248135836,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4620,i,14396490259756148585,11639350852248135836,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5344,i,14396490259756148585,11639350852248135836,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:3012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5060
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\hulk.fbx"
  2⤵
  PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\hulk.fbx
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4740
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45a23857-64e5-4429-8726-5b8571c07e8a} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" gpu
      4⤵
      PID:4100
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24753932-dfd5-4845-8f87-d3e541ba65d0} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" socket
      4⤵
      Checks processor information in registry
      PID:4084
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3088 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3de74aad-af9c-4e53-a523-47ccc6dda0ab} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
      4⤵
      PID:3976
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4040 -childID 2 -isForBrowser -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2854536a-3121-4cc2-8a75-ced0c748fa60} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
      4⤵
      PID:1604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5068 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4992 -prefMapHandle 5036 -prefsLen 33292 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {741a3d20-46eb-4387-9614-b059279781c4} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" utility
      4⤵
      Checks processor information in registry
      PID:5880
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5276 -prefMapHandle 5272 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b634b3a2-0650-4a59-a05b-371bb7fa9615} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
      4⤵
      PID:6060
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc695b31-af3b-4216-825d-bf3ac3ed0261} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
      4⤵
      PID:6072
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 5 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34a4bbbf-b057-45cc-aef8-ef4f8ef8b4e0} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
      4⤵
      PID:6084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
64b81f761747fb5580dd6def37d8b140

SHA1
ddf20f8ce9e9a34262d0bc36d6f7b535bb798a88

SHA256
e8cd3e27d4c3586bd1e29cac7a0fe5a51cdc64f435efe801602951275d8cf80c

SHA512
009a350f9ba3c73e76b6e37ca55ace2d2fa3698892660fda2235be9da2c3680feb727af2baa41b0496d71a6b2812752609f6fa7b6c0cf15720b708f9f410f9de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dfcfca178ffeaa9e511afa2c13546ee4

SHA1
690892e0e788a6a66c66964fe160b6bd48e7d182

SHA256
8cee5f1231f652989f5d1c74f637744c7b15a635c40cef6536c8293d999105c7

SHA512
bb4f7d2d97694f8971efb7b90fef9d8e65ecf4beac3a16cd141f4ff90d290edb7396946daa0483a1c9aeeb1fb3a22ad2199d0966fd3e3c3e336cf7b3d9b5f9f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
53d0c6b93c639ebfa1bbb1ea9a0c1ebf

SHA1
a8a5d2f6da550738a3f5919e6b8b4ce752f0f0ae

SHA256
8a10cf9460387e04174587c3a9c0e459ac2777dd07c6757cf0190c8f1eed6cc9

SHA512
b79e11a1d9f2e28a9f547ab3496314f81ea9a84295ae4f006173768733af11a59ed4d3a605f1b84499611748e669ef3eb8bdc0e383499906731545b396cc8670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
cf9ce066ad50ee76573094c68810d822

SHA1
000bdee95aa460f626b064b311d9ac72c139563d

SHA256
d52b394f31cb28cc1d251a69a448d9c41b1b51e9dce6bef9b29c9a62ae9361cb

SHA512
e4384d0af1df3f5351df7e308de4c75c8b5e77372a3b0e66340e26fd1d17d08f7c8b606257f90b8e258d8a2a8758ab26d0b22cb861f5855b2075e3bae633e36e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9146a150da6b09c04d9ae5aa4c60454e

SHA1
578f95a0b611283b606f5f8dedeabfa9c212933a

SHA256
aea776b0bc1cff7f2d44e3c7d07f35276cf766fee02a2cfac98e210716412559

SHA512
a3213b8d78062baac9572bce974c53e6df680cac9d0a55f0749ab4d7c11aabbd9d8787a6620d15681ec96994a1656346b532f3cb38d85a7bbb3f62361dc656db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
021866c32681ca34cad43b87e470ffeb

SHA1
719c724402bc825c894eb5907eda4cb514df69c4

SHA256
53059a6b3a86253fc65d70b1aaaf2d78cddb3de42376927b781814c1920a0a89

SHA512
848f254a0e1152da39f1990682bda65dcf414458fc310a5a0dd67935cdbbe7f72a09eca016a4762f6180f55d6d6f56912d2de74fad766f6e6d548ae94f61981d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
32fdc35cf73aeafa47fbc090f584dd99

SHA1
5e8a4dc06744a1d1de860e68ffc24f31d4083901

SHA256
0f7558377d15deec20481ed24d395cc677b26a70fab2e79da99bdbd39b28363f

SHA512
a0b481ea23bb471c061a6a169d7edcd3dc805b588eac17c153d4aae77aee40976ffe312630a80cc42fd852066ce4dd3872338ff260e2f8128f71ffa503f5bf52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1051e619b7ebfcb08dd5dbc89fe3e505

SHA1
2a2a5eae73c5ccf2ad9936e7498b5aa924ee3341

SHA256
3ccbfd3dfa590e793f85f0e30939b222686bf364231270ad8e5fe432f43a0379

SHA512
2730c18c1fd6e995a1ea496403d34888f2d029ec507c81d0b53fd821f8adf2316e5a0073c52f1cddf08292d812f73eaa5ea3f093c8fa0c0382d014d0fd7466e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1e10b1b7cd73127c01734bbbb05a91e8

SHA1
b130f07ca7c5446ece0f19808b70cfa43797f36f

SHA256
87386d75596e5c3da04da598833196d330a0cca8b558b177ae846f77f21d3ebb

SHA512
35c1cee8d21703d9018181ba4d7cba151b201da27c6df366bce39fad4a2741b7e30ecf12ef2aa27d13341a53643bc9588df9938c4d94d01fff7a4f9d3612d29c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e2067827386c9917ac3c6e5427f61e3f

SHA1
d11ed8b7196ebe99c40a9c1c6a0cc9e02fd2b62c

SHA256
9d372fd79f5a4927b7ac0e37d108ca6f2947497b58fff9c8f2ec65a1c2c5501d

SHA512
9c951ceafc75513ab272abc85fa09202b2181e37947947c86945c750f86450a646237efd254094c03b01154639c95f9c993d8b33ddd7cef453ca53649b409fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4787df84a63e9314abd292436d34c40d

SHA1
c491c0fb4907d5630eda27d70894abf6e3f61122

SHA256
ae3c307bb8d3342ff25079cf1946761388b99d7d957b4980da638ff57e44b77a

SHA512
69ba7f8ed220f277a0a1aa6ac2ad6f321b2b08e6efc96d120ad87cca8ba18607c98361741f7a9e1d47586806830833ec9051c97430d0ad3d519f2589d84d3f3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ece7fc94713d048257fb662eb3ea8a6

SHA1
e8fe5f7ac157774439c1fa2e1ba8af253615bfb0

SHA256
b8078790d7008250c91784f585227284782dd0e238cb892b53c96546b316bc74

SHA512
0ef8c975188b0dd1e6047c89d065bb7495ad5a5b4e66ba8fcf64426cc4fa804071a325244e44ca73f205e5a4cd136a1891db76f4e55f6b65895cc8e77a4e84f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3cb7ea3b22d0632c18c6cf7bd6bfaa4a

SHA1
6cbb789c487579d485d16ed5df4667cb15953d6c

SHA256
6edaa981b871688563ef0b809261c8148a42331f18f7c54d7f6d059af5c6d253

SHA512
7514d8a1c861ec811346b7341f546f44e503f8f694bc0747131ea0a314001e684afe77993fb6831c6435408e5c088987afca539dfcae32aa374156cb5cc847de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2bebab5a39a159a3098bcfbde3ae59d3

SHA1
0b459a7581a58803bc73d2faa5c53e0a3a899c81

SHA256
057d71ae900a6d132d963da10a32f9bf14530c5b191cee72d2ce93969a6366e1

SHA512
258af1dc7ee8a328db4455546914bfdd8035b6911afe076f214588d85eab53ba9a3d0f114b59140faebff821810a4eaef0d5853f7b46a4e3ef7142baf2a69ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
0330c349e16127c9a2ab7ec621f582c4

SHA1
4966fac09bb077ea2b446b5300d2413dd8b88208

SHA256
651ef2166408f5d5a174be0cfaecd02154cd91ec5592745b0d86b9e5e51194ca

SHA512
59777a1c1f918b2c5950a9411b73ee0498d00dadd918efda73ce3ed6065fd5d80d194ae3d21fe470ab81fd14f15c6551dad29ebe533331f3e427617eba58f23d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
629397bcd7f45d8501eba7650c9815d2

SHA1
c491a6aed62e8cf8f9577f53c62a0f8ef9a64f53

SHA256
74ca35655a2b42cab2d6ef18f6b6321f55042bf3ae1f5bd998fff4356f1db2d2

SHA512
4ee4b3761fad9f553ea3ccee96c6b7ba004b45e475a53bdc7bf1dcde0f2fed071ee73289b52eaf6e78ae185f892c5505d66aa0d24a3df83cd208b589491b0f7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin

Filesize
6KB

MD5
c51ad84de062c2bee8c403ea8df3ac64

SHA1
2a45381ab473da5783c3ab51dae46e1100a7a257

SHA256
9a8fc4fa34948af4dda638a22bcfd97a3dc3e500325eb625819b5ea798987850

SHA512
994d498b9243cf9e02f1fa5b7922f2aff727e064576af7bc8cf2f535264d787e70bb32b15b219408f8b459ff1bc4a2e2fffde69d1a884beaf26c7a7b3ce8539e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2caa60f8edaebe052165acc0d98928a6

SHA1
9301a606ad0504552a9db9ad28e47bde506755bd

SHA256
6462cf658b59ded31f9632595c6a03ee8f7e1cdaf59a2857fe3300e62d3791c5

SHA512
e8977eeb2fdc866574d5df6544b90a3d3c0765ae424f99018bb50e24358de37665d4038aa53db6ab2f58bfebaada08780e5b1f1596f71ae614b0d4ce0a1fca7c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\06d99d5d-74d7-4671-886f-7d98f454f4f0

Filesize
27KB

MD5
fc28b062130b5ea866f0caef9dba088a

SHA1
80a671934ee8d5b0b9eb57f16949b8f32d6c3bc0

SHA256
9c4e204b5761a964c48a766f5426bd48f2b2273bb029b0c3a9986ea30317badd

SHA512
07219772fab9bb6681cd1bec938d30cbfd85ca2d157550618943de36ef275637bf2428c7dada82e24b0f106b8f30f96cfea8297ba7d29a684f2d36af91f20daf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\8826225b-131a-4950-a98a-fa5c4bf5ba13

Filesize
671B

MD5
d5fa262fd240c933383db64ef3f1a856

SHA1
5c240678fbf634fae5a2dfeea61dea5b0af60003

SHA256
1397a5786869d92e4ddd58a90dd40a50d040eeff3957652f4652c08d05d463d4

SHA512
49f69576182347217724ed3c6ec9ff40696722a717cabe6a668af619ee28f17b6c73b4c2dd2074be66bdb2cc18047e513f7aa6252d3dfb26cd5d2bb7b045cef1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\973b89ec-46f2-488f-a60c-59285d8e1f9e

Filesize
982B

MD5
6f0a0daf78af11bf580fa66b41f3f9ea

SHA1
4e8ebdc0781c367f08ef95a68fb1b8b010f71e86

SHA256
373a9c43271e2e6726243db896ff72d7f037f896d9c822583091a5562c370406

SHA512
a3886435a349ed68c35d656081a7715a96f76cd8e226655c2fafaedbc0b3d1cd9a27c887f94d2fb11935cb82d51e4a64b2eb3fa9bdf2ea6cbb17cf27a129e32e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

Filesize
10KB

MD5
04cf1b325c15fbeb1377983e97e265d2

SHA1
04d349037401f172f2d48fac25ec95ef2b232c5e

SHA256
f117cc2b4b6155936070eecd261af3e01c1a9acb02483d14d193ca2d6c3a3bf5

SHA512
ba2b3af0275a97eb7eba6acad5343aa564a71293975035ce69ada41903191c6345b8036e832d19072fe483e89767872753059619da52cc2a4754f8f11a3bccf7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

Filesize
10KB

MD5
bfa603e42a35afe23702f6f66eed7271

SHA1
2472a35034b71f50b698b2418def4ed08a9397f3

SHA256
f1099c8b864ed56a2bb0947ce3f062cce0f33498e5eea2c898888d49763718ba

SHA512
a524cc0266aa3dcfc22b8f28a44cfbabccc309c335a5b3f283767b4e9af419c3aa44238dc656cde6c885304dd3451c5d6764eaa604d7776a1fe23b73d3b49cb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

Filesize
11KB

MD5
6e5cffb7a2fc33d287379b61e6f418b2

SHA1
ef6143729a0b4d988dfb60d497f8d4685467a10c

SHA256
a7ac66f65f2164684462828ba1785f178e3449d0d28e20d3b1659254a4350df7

SHA512
c709444b9c0a5afe95a2634dd1e7ea9be4d76e09f1074f8f9dc33ea0f3ef5fffd21205ebe8892973447c9e47f91270aba272297e4f7a09398cb2fad4b7014977

Download Submit
C:\Users\Admin\Downloads\hulk.fbx.crdownload

Filesize
6.0MB

MD5
31fd0263b70d7713e0a2fb09e077f1d1

SHA1
eb8680ca40a638f23a213b1e0550b0c22fedf761

SHA256
6cf1139aa06e57c02c15100c91e949ba9dbc3dc9a72562ef55f195be0e009a33

SHA512
cabdba4ab117b4e3b40895af2641e7d6911a0cacedd485f1cff560dc772e92be9a1010c297618c299304f7c083ea86226ed761241bd56cb02fbfdc270c7a49de

Download Submit
C:\Users\Admin\Downloads\punisher.fbx.crdownload

Filesize
9.5MB

MD5
d2334f71b241416b6770a27696c4cd00

SHA1
88581607c655ae5cf066d3a8d862b997d136c356

SHA256
7ce0e1dbe1dccc552dfe07f84627dbde82852b65ba9376716560fccb5d74b2b8

SHA512
7d4f27bdd87f21db3cf9850e5282e661ef9b960b69b720ae2d1dfbcdf3e919ea70ca3bc1fc8802506bdd868fa5a6e5ca7c456e635302b187fd2cbc44302ef606

Download Submit