e4208de47bd3293d69fed65c47de8020f4931e3ab08e2c3dee0e9b1ea15dc94b

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2025 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm-V5.6.zip
Size

24.9MB
MD5

c22e03f94dec14d4bd32cd2e799c105f
SHA1

4f9ef5352d31411cfa1fa965e6489473c449f1bf
SHA256

e4208de47bd3293d69fed65c47de8020f4931e3ab08e2c3dee0e9b1ea15dc94b
SHA512

c7736702e2e208041843b07e4814ce0fec8e42ed654aee46676c4fef6aea7b4f08a58cfd27731e866e7241be4b508e037e9c752ac99a8ac7ba78845e0c818bb2
SSDEEP

786432:iCIgXirCT0kw0j0XIstCbAfoJpVPH2a2UxfDfgSnVh:VXirCTvbjvsteAfoJpV+a2UxfDfgSX

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 2 IoCs

flow	pid	Process
41	1716	Process not Found
68	4504	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2864	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
4224	msedge.exe
4224	msedge.exe
3956	identity_helper.exe
3956	identity_helper.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 3504	4224	msedge.exe	97
PID 4224 wrote to memory of 3504	4224	msedge.exe	97
PID 3576 wrote to memory of 3988	3576	msedge.exe	100
PID 3576 wrote to memory of 3988	3576	msedge.exe	100
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 548	4224	msedge.exe	101
PID 4224 wrote to memory of 5088	4224	msedge.exe	102
PID 4224 wrote to memory of 5088	4224	msedge.exe	102
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103
PID 4224 wrote to memory of 1824	4224	msedge.exe	103

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6.zip
1⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdc08b46f8,0x7ffdc08b4708,0x7ffdc08b4718
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,13339634766828578008,11878484888239554611,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3184 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffdc08b46f8,0x7ffdc08b4708,0x7ffdc08b4718
  2⤵
  PID:3988

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjgzRkYxMDctMzUwNy00MTAwLUJCRUEtNzRGQjFDRTc0NUNGfSIgdXNlcmlkPSJ7QkREMTg3ODctMjQyNi00NDdELUEzODQtOTUxNDZDN0NCMkJCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzYwQjlFOEUtNUJFRC00Nzk1LUI1QzktRDVBOEE5RkUxOTlGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzM3NzY5NDY1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dcf6c443f82d4a5f87e2682853b2f355

SHA1
ca4623dc0bc7b7bc4f31dc0dd8834ee743fc357a

SHA256
30d0d0bb11a133f7295c839c78a88d72324d9e279b9c465124ee5d50299b7a86

SHA512
b9163bb08cafcfbc8e0e52d6cb7ca72c5137ff5347c0a7c86787478ce979c3390f355f9f1ece9be1a8fe5df9b94dbbb1ae574b0cc1b63959ea630157765e11f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1af47ff71a93ce65b67715d8eab1463f

SHA1
f7cb1fe4b76f2a24d12acbe5d77d8e69b766245a

SHA256
d4e05a41fc65aca28648d51d557db9494dcb31c484c150a851d0b3369f18821e

SHA512
4826974f8d9e8280dc8329b8a43d18199909caa2e425de6a4583aacd71f94228a38688c26b0c6127fee13168e518457f50f0769d25215d9629f1c681dea34e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42599b8556e9ff7c58488d249eb19865

SHA1
56c61bd9777384a52045ab6f914a358f0cf01f92

SHA256
6f91a485d9dd00a7953b0a868b8fb41e94cc231dfec2ba20d46bdb5e879e4e0c

SHA512
c6ccc5ed25b418c47d29e7cb4ffb86ba2b254b6e69ebf828b42d62276c36cb064bb7249846c3c103aab09676bed83205586909469668d2ad4eec4ce01fa9c613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e89c29cf019c0d88b63f5bdaf0a32ff6

SHA1
87211be87215e7336c4c43bfdf05896cacabaf98

SHA256
90914d579369e3b6d474b2a07e31ba4355025b35aa48892d7f2fdaa1997b0d03

SHA512
82a009c37a8abbe2a2f9ccce014e8c8f0fef9d4170e90b12efbe6fd8df250b4978a21ab7f62021e9d74f1184c8f613d2ec9c9d03e93308aa8152c086a3b036bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6518bf8e4bd74895fa609049b3962c7b

SHA1
fcb73c0f40badbc950e042675d92b72c6ab6242d

SHA256
883ec0fe023c7414df15fe60594fb17c4cf65f1856ed45cd43028f597713dcfd

SHA512
8f01492c9c3bbc774879c309e6f3831ea1c070bb80ef2f34c672a6505ee3a62b95dcb25a5a84665006c628f394bad25ff3ba0d7d41a2f9a8d55d08c9767a46ce

Download Submit
C:\Users\Admin\Desktop\CompareGroup.png

Filesize
776KB

MD5
672d2c9c70829e8f2991436bea41bcf3

SHA1
45dda93e853dcf12607b707be32dcb415b384aad

SHA256
bbb4ccfb72a3af4403dd561942e0c73b61a355fa0f29a26a56f173392a0c1da5

SHA512
7e11d53da128e2278c664cebcee727b2df3b5cf4c9b79b3afc1843368447f2a73cfc24490d6e6fb2effee72363006efcd96501bfa46f32c813b2f1141c0ef9bb

Download Submit
C:\Users\Admin\Desktop\CompressProtect.mpg

Filesize
714KB

MD5
561bec058ade863d581ff1a4ae3fab7f

SHA1
d55f4db23e0ff56f393ace2597723cbda404b751

SHA256
ea865b0ee35539916ca18c7abb2f9326020a529139509f6c990cb29bd14c71e2

SHA512
6f716497e5dce868aebccd7a678e2c14b63b99deedb54a56a6ea7e4c011deec45ea5cc96c9d8b725ccea73de3ab1068335155ac137ee59944716defa03309fe5

Download Submit
C:\Users\Admin\Desktop\ConvertToRegister.i64

Filesize
424KB

MD5
d29a7ec81c816a09e3ebdbaae99b14a6

SHA1
3b0928790fdf24572878150f11e45684633ca1c3

SHA256
d4cce158caf4c48c382376635660b3073ac3ee373bff6a7e894b6b458ebd89e0

SHA512
dcbe67d88812dc5c3012db89a56074a0e0f98ea1a614b477f507e4d853f8b34781ee540c1ee431ff9d71da0b5dbbe62d6192e5c3281f56de641dfb31d37b7048

Download Submit
C:\Users\Admin\Desktop\DenyWait.ods

Filesize
300KB

MD5
0dccd2932a3e6072f65d8fee66ac2864

SHA1
3f50d9f7928c5323d21832adeeb12d565cd79317

SHA256
c126ab34b15c25fd22c38d245c08e1a5d694f75438649659868d98fe6f7df275

SHA512
6bc071bebc8ed3f15dd4f43ece5efcc008d9b7dd7c6138778f2858dff9d4f87457c5214c719222b014c1235b1d97389e5f3de05a91313e2a360b3e3f7586e811

Download Submit
C:\Users\Admin\Desktop\DisableExit.bin

Filesize
652KB

MD5
7ec5d30aaab06aaf63bc75c5122301e9

SHA1
0621ea9e909dce0e4b59442a7c47aeba7831e10c

SHA256
bfa2563769b35be7a81ada3db20fad5c615064855493252e4e577be9f1b7d554

SHA512
d93f3458822a31bc123709bd36cdf2eec30e2d113a9048717d0ce6bcc309b95b93a3c207aac0d2ec61e9f5a255e78929727dd2b2fc43d8d5e51d37ad1054863f

Download Submit
C:\Users\Admin\Desktop\FindApprove.sql

Filesize
382KB

MD5
308904539208a8b728a92f9985baf842

SHA1
2eab83d68a49b5e2df2f18410b7065fff0ec475d

SHA256
f16b0421a69d48d9217eb2d1f1c3385c738ba1887c5b480e06c9cfd0cc1b18f1

SHA512
89ddde09193f8bb123510151d9d314a47811bf7869005269cbd4247dfb578642317657b45a982e8c3b5c9f90eae9388fc0348011a311f05c4debc3d09b8e5edc

Download Submit
C:\Users\Admin\Desktop\FindMerge.zip

Filesize
569KB

MD5
abc28c0545d3bdfc53f6c781f901259f

SHA1
ed12930c909df8e5c001214d45d2272ee183c4c9

SHA256
127bc97675c9b019b9d98ac6d84b513ce04b0277617b9ef6e450ccc9090d8508

SHA512
6a9e3d156d008b9c70674e933681ffb8c3fb1c4eb4332117f71d232dc572194bab24bd76e9be59b1c6a2be74f466dac67966bf1fd50185733f6871b80e2c05f5

Download Submit
C:\Users\Admin\Desktop\FormatGroup.raw

Filesize
672KB

MD5
69bad906243a28f77911141f1366c9c3

SHA1
634e6f4002a7bc5b31f8d4d79f9cfff57c5ecb2b

SHA256
abd097f3dadc6403c16b8fac7bbe958a0fc8460bebecc1cf0b28e10c72ea5e10

SHA512
32cbd785f6eada6ad99a621ae2c11a06ace32820bf93a532c34983dc80628fbf82a1a9f6e3f0409934ddb609586688957e5e087ab312a9bcccc20c68e5f6b782

Download Submit
C:\Users\Admin\Desktop\GetNew.hta

Filesize
796KB

MD5
5cc9caa17322f4a611072781158f9e2b

SHA1
947bc3cd3a95496e3932a1a031c62bf8cdfe2443

SHA256
32129fe0a43249c2fc617af550e27d37a0eb6af48821ee0499ac3bbf1129dcc1

SHA512
036df2daebf09045e264ed96322622106ec0029a37477d09f70aba06cb3420700625318022764f4817bcee835c98f472c37fb54ea2d646e3f84eb3b8738489fa

Download Submit
C:\Users\Admin\Desktop\GroupHide.html

Filesize
734KB

MD5
9d66866ea612e9e86e4f30c20ec4f033

SHA1
d7b5e13e935a62b422ef93c63951602bbf582ee8

SHA256
9ff005c0726b4610d688130b034ffe1641385cf2064a225bac330da89f056e99

SHA512
aaab2bfaa67573f72b546975d14a2045a056c8106e403516afb477f1dd3eeb56c420047070617eb8e762ef0c90babf0de5b49520ccc8d65a057cf76c80591e38

Download Submit
C:\Users\Admin\Desktop\InitializeApprove.3gp

Filesize
859KB

MD5
315261f16ad6d518cd8b2d59168c0c0b

SHA1
56fcd3ca6e71525a34d910aad637cfbdfcabeb56

SHA256
5f6572657d7d74b5f0a1573da76bfcae75fb04452ea8573578fbaeb356a76f33

SHA512
b79d83bf8d556c9cdf3a3c36461c760fde066f565fac3b48fb41157c43af2f99d874aeccf14c47a768db62a7423dc31bbcf4835d1a8466ff6c2e0d60ea9647ed

Download Submit
C:\Users\Admin\Desktop\OpenResize.mpe

Filesize
320KB

MD5
299aae76f0bf8d33c31e6430b3b4efc8

SHA1
3de1efab9de7cd07ca65f12be07afee02bf1ea61

SHA256
512f18a851b0dc37314d1d2975a6d659f17e0c192eca9418e762e4d8f0bb9750

SHA512
4177b868643704811f39e95c477e583f07bcb03e5b43e3fc8f13084901eff21f7e2ec7d7758e6aec819f994bc2b1ba127c904b9779bc1cf969d48f6266b99ea0

Download Submit
C:\Users\Admin\Desktop\OpenTrace.potm

Filesize
527KB

MD5
24ea8bafdb6f7a8b5cd58b1e1765a0e9

SHA1
24c365fca76bd9ebe9c8eede39dee6404732e47b

SHA256
7cb2265967b0b5a4220d046d6fa7b2f0a96090ec899b6b0eeb8d70f070a51cd7

SHA512
f972d89245c534e8826be1573671adb294c70af3798fa71d604bf4b50525804c97121832e8af817f4655049c4c78139bd73c6a16df423aa1a890ba82e19e12a3

Download Submit
C:\Users\Admin\Desktop\ProtectMount.3g2

Filesize
693KB

MD5
5024e89853b9a8acb44104c1c31c6c54

SHA1
2ce6db098d8f72acab6fd4448cf6326a8219c9c7

SHA256
fe4eb0b649f636db634927d405a6cd96f58a8de2e1a41df11d0f6b8297be24fb

SHA512
51949ea5481971cb017c1731eda63914f9aa7b8612d14d481e42e7fb116e4041a10d05a61ab59f50a3069ce43ad117ba6e091fa80d8720fda6501c24f60b01e3

Download Submit
C:\Users\Admin\Desktop\PushNew.wvx

Filesize
1.2MB

MD5
741aee9be20dbd8625d274b9bb7e6fb5

SHA1
9b04d2551c6c60b32cde014fbe65db94553302a0

SHA256
1a95a8ca081f095b75f5dfd4679b85b2d10fb67e0a14f238cbca918eab724413

SHA512
c5e73cb4ca7faa6bf0345a7c5f0878ff801ede3b942da46af161a41a7dc30c49335edff87093d99be84ca702238345f19d953af571929a8d896281262bf7f712

Download Submit
C:\Users\Admin\Desktop\RedoUnprotect.vsdm

Filesize
445KB

MD5
3e8f3e7c4504a75738a4a5282cde27a4

SHA1
5a390b714252fec973e5f4b5080ab5aeb74846db

SHA256
3daf6cfdde19eb670c86a4c1173364bc30cae5626054f353098f916db745f729

SHA512
0f8a2defab827d210ce5c0d23b32274fb4cff06d161d72f8a49754aac7127c8c91fc4379d4b837874ad57d65e0b2447bef9d4391fbbd2cf1796c757703e2b443

Download Submit
C:\Users\Admin\Desktop\RemoveRedo.M2TS

Filesize
589KB

MD5
720fe3dcc02f141ccb25e5aca55c39f6

SHA1
31386ccf5be4d6464c6c30f714be857aee107a9c

SHA256
9436b509d20f44ae4cf88a6f0b8f53e3dd41b79d61d20509732e69f8dd5553ab

SHA512
4a75b752c4cee8a9c24bce48e8088f1979a4e4944358f8ba0b50c92d4842508b4ac2e0959f4aa232978445284587d139c72534a8677cd2af5cb83240afee0650

Download Submit
C:\Users\Admin\Desktop\ResumeCompress.inf

Filesize
631KB

MD5
bb542f81f1488527c685b961ffcc473d

SHA1
b8e05a4a5d66b5dec41ca19453134eadb310a16c

SHA256
a11a634883b799cbe7275bb38ece4dfd2932989e447888e8170ba9dc98871ef2

SHA512
0ff842ef89e020811a9faead13927dbd9ebd28047a53fd9d14e9d2d6b4e49809d3e89f6466f14c60abe150c378179bbc8b90eb732aa6e8910daa6c5e2b458961

Download Submit
C:\Users\Admin\Desktop\ResumeUndo.au3

Filesize
755KB

MD5
de609fd93adf57cec45b3c70cabfa1ca

SHA1
0182e2058c6b2c858dfdbff82b7b54d8ff26702f

SHA256
8eba350beace054619873529acc8950ccd4df3cd2e5bfac6f85275c135e3babe

SHA512
c2f6d75c9110c8ced87128b36d9ecbb30372cceacdbefea8ce856e0c00cedd27bdace6bfe98b8edbc7a6f6ed0870658176f65fd2606272ff20bfd075baaf9c3f

Download Submit
C:\Users\Admin\Desktop\RevokeComplete.eprtx

Filesize
486KB

MD5
49541104bf6456cc8697ab69676b4410

SHA1
184d9fe2679aaea67d256e08ef6efecb6f482090

SHA256
a9c8c4c5ba67e24000bce66c629e060de6df97c54f54fc900f8e55c5af883e3b

SHA512
8af59e7553f06d07723ad096257e8f112e7ada67e57c08c61b0f9f11024431a52b9557d0ebe7a7c7f013504f6e43094821af2ab3fca8cd0e48394fef79904007

Download Submit
C:\Users\Admin\Desktop\SelectBackup.ADT

Filesize
403KB

MD5
dfdb6119b5114df2a7872c2211acb892

SHA1
a5e55cf88b4867aa5e5d1624e4ba60a22ef5f296

SHA256
0cd19c378cd5061251a2c15de9cf3ca676f73827abefad8914bf50d82bf7b380

SHA512
0d97a84f206736d5261d224cd8b8f7d6fa79ef9a0646b30904a70d670aadd307bfce53be18e5953e42af4ce8958f466c2e416eebf3760bd8d204eb18851b33e3

Download Submit
C:\Users\Admin\Desktop\SetSkip.txt

Filesize
341KB

MD5
8d5756a6db68db867380cd0fe69af75b

SHA1
187ab1889f0ad7207eabde9bc1672c46a1143655

SHA256
40cda0e26d59b078c0b3944b2d02100671ac4ff54ffd980190a98300d66046c0

SHA512
9eeca2b879c0dd4fe7d7680485a140b9b38f6bb60e6a78ff98bf46b97844b1239bfed7bb30ff9dadde90010f7d7a9e3090f5816a438e7ec979f13bee72530d9a

Download Submit
C:\Users\Admin\Desktop\SetSuspend.nfo

Filesize
610KB

MD5
40c3f188602f5400902e67757bdb049c

SHA1
85ae61996f9f462a680373d13529c7126125aeb4

SHA256
151abf0e3eb833729802a5cb662f1e77ce87922a19e36aa6e03024c5afe593fb

SHA512
bbbf7e961ecb0d86bef30f2f1d6433d6850b1093104d7aaa7c534d472f950b40db5955ea7d3b9cb504ae1cef13fa369533aaeb9c4db32956d2f04485100fcc6a

Download Submit
C:\Users\Admin\Desktop\SplitProtect.xlsx

Filesize
12KB

MD5
56e85b1d4a543caa9d39490f405eaa52

SHA1
1f6a7aa71d93fd1be21d35d1e1d89d93d93520a4

SHA256
8fbaf641eade79038c7a24e80cc2bc1c992ffd6219e973418f48422ab750bc87

SHA512
4fa4160282f42676c8c4bad652bce83bce8bb940c34532b57683182d8e504dbd5e0b7fe960d028ddc8f912075942c637e26d4d79146b6d8ebfef9d434f0a150e

Download Submit
C:\Users\Admin\Desktop\StartSkip.docx

Filesize
18KB

MD5
526f233b3ba47c7e1cc84de0492d288a

SHA1
7a0d70969f85a26258c27e31573cc52107b7eec2

SHA256
935552c3b5f189961e5dba8853a4ff3a0ccb40fcd04a833bc370edd4dba8f1c6

SHA512
ad57b4692ce824ad32333257e90552980b33da0a5077dddb278afaae6af586cef7750d3fe584ae014a16a68555e30db0359225b57bee999906e691bab3de714a

Download Submit
C:\Users\Admin\Desktop\SuspendDebug.xps

Filesize
362KB

MD5
6d7e36b0024ffbd109bddd8a859a05fb

SHA1
b04701405bc2b0a6b9414b4e60ae091b70791126

SHA256
f1c02d162673cbd08b75892e442aa2d67eac7f580076a55e5954b32cc44339b4

SHA512
0f5e069c440ee9bbe025236d83ffbe914beb7af69a4ebbeac6715a8f2b171bdfa0910062b17e52a22c6356e91bd5bb4056feaff2f33cf13410adfc921f22f88e

Download Submit
C:\Users\Admin\Desktop\SwitchHide.tiff

Filesize
507KB

MD5
3e5c696c4f77ca9425b0293cce75c846

SHA1
fa453292cdd811e728790e36d9ceb852f0be31f8

SHA256
81253b9b1c00dcf0134af0ac32d7bef71a4a5a52d496b7c7c226f4fa67ba18d8

SHA512
07090bb97b7af7926ad6d3760130920be847b209b47b171817a04f56663e92ea0c130153af7e2426b75370b6c8dd4e7d88bd1c77a7d67f2ad2436010d9c660da

Download Submit
C:\Users\Admin\Desktop\UnblockEdit.xls

Filesize
548KB

MD5
54a1f91356029f76d5a54e5b9436546d

SHA1
a35806f7aebe9594d92facc84f4173addbbc139c

SHA256
3d338b98b375b2d86bce2f649bb183988dfef2b15248e6173e27e98bc6616e6d

SHA512
286dbae207b701887bcfdd7bdcf072b9be32b409a0833ba7b1bfd7210b3d1e27bb9053ffe2530e005a60a51fc266bba5b107ac0695a0e5680dc0550ada844889

Download Submit
C:\Users\Admin\Desktop\UnlockReceive.inf

Filesize
465KB

MD5
4f6d24a9347de56a6bd8443d987b241c

SHA1
265c8d359a4fc02edcd3a22c0d773fa79ed6576f

SHA256
6ddf4845ba5b335e2b8b3d39e5681b96885226a8f0ead4d584acd8ddb9b254a9

SHA512
1a63edae61bc0a4ea56449a4236c3f9215cfce345a470365ab9c125a43117dc4e8e1d578c0e7c4c4d9c68a7f8995362b5384f1f55ec50351037a735df730a3d6

Download Submit
C:\Users\Admin\Desktop\UnpublishSuspend.vssx

Filesize
838KB

MD5
6ee9c6189459da63fa3d3f3133f9f5d1

SHA1
4e74be928f9c718623fe3011a81d2aa16754951c

SHA256
d951d7cd9b94cc72c3649c50b100ccd72af241c720a2e32d7efcc19903d1975e

SHA512
985c959e6d6717c7d258051a3f24aa109b63a01c884ac550f64193a62b3a79d19fc0f24c94f14f99d15599de82a7a90b8ea8a86c20b2a2b472b8866e53d787a6

Download Submit
C:\Users\Admin\Desktop\UseInstall.docx

Filesize
18KB

MD5
56fcd5bd985341f0ea0acfe089d5b582

SHA1
8446c021ecb8391a5549ab1c77dd8d85076f1fd8

SHA256
cf550a64e99ab0092f929b75a9910c8dc52f8376989ac271175d475758fd5fe8

SHA512
1e703474027a0d30d337c2c0a5bbc06b9b499d6fce112c58f5f5d69e1f30d4ffb6143b25fe758f7ca8838852df6e0d8a2f7bfaefb8f1f8a65103389841240eba

Download Submit
C:\Users\Admin\Desktop\WaitSuspend.docx

Filesize
20KB

MD5
e9edab23addd22f775b89e1ed635db5f

SHA1
6c4983726b37d8e46e8d8592b205d8a46c8706f1

SHA256
c1f70fc06709878f50d241a016f8ecad5e16ebb5d746b735f53ffa8739ed976a

SHA512
18a8124dcca8e302fc1f540b45f09c7ec86d91b1cfdeed8a34046a7b669e298c4b1305250b1836adacd33e6253a893307f22dfd2179bc5c1260f1b4206d067f0

Download Submit
C:\Users\Admin\Desktop\WriteRemove.aifc

Filesize
817KB

MD5
5a20fe6d813ec7e69eda0fe3688de2a2

SHA1
d85d55028b55bfa92dd0ef8ea22188f9b4bbac16

SHA256
df4d1ed4e2af0164ac0ffe922867616d23ad46ee0c435303a331a38e29290e9b

SHA512
a69a13897fe5bd5016d76a9256bd943809ea6a758f24d8f99f1a486c02b38533258ce27562ebeccc1e21091973d691f46d1ed8324ddd6619a943668f7df403aa

Download Submit