hxxps://rebrand[.]ly/edaua9pd-26808f-oup-afad80f-afug

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rebrand.ly/edaua9pd-26808f-oup-afad80f-afug

Score

6^/10

discovery motw phishing

Malware Config

Signatures

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
86	ipinfo.io
87	ipinfo.io
92	ipinfo.io

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc	pid	Process
85	https://b2-nine.vercel.app/ruu.html/hwkls.html	4308	msedge.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\msedge_url_fetcher_1612_992853537\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_159431365\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1683323293\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1960430352\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_159431365\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1117304838\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1117304838\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1603621956\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_159431365\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1117304838\LICENSE	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876065941488586"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-814918696-1585701690-3140955116-1000\{F8674744-C103-4A68-BD5F-26AEFE625FB8}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5268	msedge.exe
5268	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3156	1612	msedge.exe	85
PID 1612 wrote to memory of 3156	1612	msedge.exe	85
PID 1612 wrote to memory of 4308	1612	msedge.exe	86
PID 1612 wrote to memory of 4308	1612	msedge.exe	86
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 2548	1612	msedge.exe	87
PID 1612 wrote to memory of 4796	1612	msedge.exe	88
PID 1612 wrote to memory of 4796	1612	msedge.exe	88
PID 1612 wrote to memory of 4796	1612	msedge.exe	88
PID 1612 wrote to memory of 4796	1612	msedge.exe	88
PID 1612 wrote to memory of 4796	1612	msedge.exe	88
PID 1612 wrote to memory of 4796	1612	msedge.exe	88
PID 1612 wrote to memory of 4796	1612	msedge.exe	88
PID 1612 wrote to memory of 4796	1612	msedge.exe	88
PID 1612 wrote to memory of 4796	1612	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://rebrand.ly/edaua9pd-26808f-oup-afad80f-afug
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2b8,0x7ff9919cf208,0x7ff9919cf214,0x7ff9919cf220
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1988,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Mark of the Web detected: This indicates that the page was originally saved or cloned.
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2188,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2428,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3488,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4852,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4824,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5552,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5644,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5704,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3464,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3912,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5880,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=776,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5632,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2892,i,8804801277523101750,5455893567713451647,262144 --variations-seed-version --mojo-platform-channel-handle=2960 /prefetch:8
  2⤵
  PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1117304838\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1117304838\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1117304838\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1612_1960430352\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
60d40d2b37759323c10800b75df359b8

SHA1
f5890e7d8fc1976fe036fea293832d2e9968c05c

SHA256
c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0

SHA512
0c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
22430ba0cae5c32f269ae9332b2890d6

SHA1
8920890033b9751ed8a1f5fc78ad320481e524db

SHA256
3be8efe765f52816d3ca933b5568d96e4d2358db1b4ee0c6ae657f65fea3208f

SHA512
aff3fc9a71ce9fc1a1e613755a7c8565cc69f761eb02ea0e11b3c7c209069ca42058bee6ff2618aebf7bf70c7d3cf53709392f30fae7db366aa89b6fbbe6053a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57b7d6.TMP

Filesize
3KB

MD5
3ba807272c096e5710fcdd4dd0fc741b

SHA1
ae6ede519d83757491965f04475cd7c5bfda29fb

SHA256
3301bfd655cec798a5e809f7c76bd514a507970348c6f3727da35b0b9aecb30d

SHA512
13165c16838da7961da32bfbc02345a992ba358680520bfb2e81e9886f800c7153e0606d7623258ba757ac3aee8c0512e3baedf9b283f46a3fca7d386e02bd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d771e2ec075a6c4c44e1d3b15ba7e778

SHA1
4e759e41e11b1fe91d271bc5dc6313f005cdbc2b

SHA256
7f09dc0d1057d8267859985191283a44521950d87578dd897fb3a065cfe03f22

SHA512
89a3c842e9f5fae840e7d0ca08ce1a81e6cb6cc475930abeb9b6e1f5313ed06e1e65ea433118a0a730a38635bc56fea94859c8ce0d0ef2fe1a9367a1ebf0198a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
d441d1bf761f1ab7b682e394f8ebb399

SHA1
512137f5aba40358f552805927728357129934d3

SHA256
ce9e1101c89c6287909cdaba791ab6cbea9a406a86c105a451c921e3b3a59df9

SHA512
7a7a7b319d2b065410f1c0f3d2bf3e16ba88065d2f3cdba127d1fa1953fa03822d880341a7ed9a28ddb19a1dc80dde9fff75e9375bd3616882005586508c2309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
99c92b5930a0102b60cd54663f221223

SHA1
2e412d966d92794f9d0d53825beac4e9f3b79197

SHA256
4ca0545f46582c3b325a8d8a04397aa3e594090446e2902245b803916904d93c

SHA512
cd11a73de4aac7591fb95712a156aa84995a0f1513e32ac8f73c2fc723c3e68c38d96bf7c8d5663ff5cb9c961abbb14f61c915c81f942f78558cdd6ac5f2fbac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
7312225a2ed7b5f65ece12513ea296a6

SHA1
76477bc48ed09ca401871d4a930146035cfc7a91

SHA256
62a79e8d52400a3abf55a8e679ea03e128729299a30b2ac51a6644b7ef98bc2c

SHA512
0b0fb17969882b4d31b3d2e5b1ed499362b9bf1c0704764540d6c9e82a96b780501ff68dcbf01ec140662b4a5c482c56cef7c6c11c555a4147b08d8537f79763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
6d978e794bd92a876f8bf2f6891696fc

SHA1
788e0ba5fb907afe1aada45f5af7830e3c3c6892

SHA256
2ada8a25b7fe3780be364a3a04268102bf24e7a1b6d20bafd8a3cbac876f35f4

SHA512
a5a1b79c2083da045ccd8f58c480419a6a14d90f25214f6c3efdffcf1cb2e2e4a64be507bea0a1a31f7b9a0219ca3a508b3ca71a261513a490bf881f371a0da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
ad2b1f0afc63c82764cf8e8dcbe8e66e

SHA1
4b9d2f66ab4109e3299cb893743b4df73a3ce731

SHA256
26138953efa9551ceeb257c68a312b99251019e8f4ffd7d1a6f12e77e4e28b94

SHA512
fe7dd859577db6e29d291b478024aa770ebf07f735d7ac4ba240deb3860dda10d3ee32cd9d53de8af0638f049346d023b2f998f5dcd65128f10c1d48caf5f749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
694de90181091c6a911da34461a185f6

SHA1
da7424d631d0a3943eb8265a5ef48d72cd16a497

SHA256
4772bc77c2783191c37efde62aa2b5edd6540a19560f7884dfaf5d51357a8dd4

SHA512
cc05c2343ff87376fc27d53c6ab1b0018c696a9071a37f10d8fb8cc61a16aa5808804957b7ea099d0d7f197ac80a5f28a28795a175d09af7c0a1e0fe61310015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
3a4b7402a5e65049734bfcff598706ae

SHA1
02d241bd0a0809a746a8cc4d54c712fce684328d

SHA256
80e3316cad48eb2841b03c4ade01c515f484142d4485c1d4b8d5fb8c418eb650

SHA512
9e4478a0eca85c2f56edfd59fe2cada07a980e18cdfb51d297d863da0b945ecf8f5ca152ae4ff3686251c2b4852b74e4828c5810e4a012c815924d654dd8feb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
7fe32f596f4a5ac8cdc97099a6d015a0

SHA1
dcc976455da2813ab63aaa956a23fd057a700dc8

SHA256
0cb495e887d462e5816d2c0fc21754185cea84ce16242f7aec6a1cccaa11ae5d

SHA512
352e6e2e5adc7f4f802cdbc566f3d59cd83c11d44e30cb98063ef2445cc09f902798251049d0f8b4d7e62fa151fb7d2fbe062d886e6bcaf42d81f1b364d99bc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a2e8c9bcd5c71e84c408b92145f79148

SHA1
61aeac448bf90ea3910c84cd896073fd750b6642

SHA256
9c88066afde95c60ced2b3c50bdcd362dce6f6342348d7d5729a41f4af64c991

SHA512
77c7a673ef2ec32674af2ed8af7055ae5ccf6e0020018eb1846ee2005e677afdb3b9a5efa35d51186a1260cc8d3e56fdc779e9e4f0a05616a3f3593a162da844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
85ea7bdcd03c2617abdcb233bd45e76e

SHA1
361e6ad4c24b45b9e5183be59ccfa8d35db4a79d

SHA256
2f8e527cbe6a59fe78cc6c3dcc2f0c8476c5354767a098511958346ca8470465

SHA512
7d83e89e14f714238ab3099d9b9ea6827d5a2c5486a38b34b34135c63164609b357fd7ddf69392a5beb1557c3c5dea83186552cc76b18a6e89983fcbd06a6d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
d0b80e94c787f959a0351b7b9f25f31d

SHA1
c04ced091e61955e8bd6cd05e0f98465870ce5c5

SHA256
89c036a84599c596c9be579e1ce8141d4d1fb7600f29a9fb2f781dfa1e8c09dd

SHA512
463ab45ab30054abdf90017ca57760fa04e298899bb1096c3f6388454058f3326ab5a9627c90074a5d7f01568dc7a0d2c3ed20360b8eede23dfb382b7c2fe3d3

Download Submit