cobaltstrike | 4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb

Analysis

max time kernel
130s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-07-2022 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
Size

5.9MB
MD5

f57e1c1b0968adaca8eab94f200299d6
SHA1

38d2ca1ff3dfb127f8a0aa004e65a32e285c2b11
SHA256

4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb
SHA512

d5d199adc2fb6df9b147fa93843573b150dc6178b9ccff72b983449eb1e0202941e7f75d5e7411e06a5cbfb3ad277275eb839c7d449c9dbd284a2e754bd852af

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 42 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\TOeBpTF.exe	cobalt_reflective_dll
C:\Windows\system\TOeBpTF.exe	cobalt_reflective_dll
\Windows\system\AkKVlYd.exe	cobalt_reflective_dll
C:\Windows\system\AkKVlYd.exe	cobalt_reflective_dll
\Windows\system\OazPdnh.exe	cobalt_reflective_dll
C:\Windows\system\zAUzkGk.exe	cobalt_reflective_dll
\Windows\system\zAUzkGk.exe	cobalt_reflective_dll
\Windows\system\QasHGMw.exe	cobalt_reflective_dll
C:\Windows\system\OazPdnh.exe	cobalt_reflective_dll
C:\Windows\system\UzKiRNY.exe	cobalt_reflective_dll
\Windows\system\UzKiRNY.exe	cobalt_reflective_dll
\Windows\system\YHybVfX.exe	cobalt_reflective_dll
\Windows\system\VDPAFiU.exe	cobalt_reflective_dll
C:\Windows\system\VDPAFiU.exe	cobalt_reflective_dll
C:\Windows\system\YHybVfX.exe	cobalt_reflective_dll
C:\Windows\system\BnQBrig.exe	cobalt_reflective_dll
C:\Windows\system\QasHGMw.exe	cobalt_reflective_dll
\Windows\system\BnQBrig.exe	cobalt_reflective_dll
\Windows\system\TkyJOPN.exe	cobalt_reflective_dll
\Windows\system\cxUSolt.exe	cobalt_reflective_dll
\Windows\system\rzMokXL.exe	cobalt_reflective_dll
C:\Windows\system\TkyJOPN.exe	cobalt_reflective_dll
C:\Windows\system\rzMokXL.exe	cobalt_reflective_dll
\Windows\system\NUyALzi.exe	cobalt_reflective_dll
C:\Windows\system\hfCxQtV.exe	cobalt_reflective_dll
\Windows\system\hfCxQtV.exe	cobalt_reflective_dll
C:\Windows\system\cxUSolt.exe	cobalt_reflective_dll
\Windows\system\xbUOlJl.exe	cobalt_reflective_dll
C:\Windows\system\PaqYUkf.exe	cobalt_reflective_dll
C:\Windows\system\NUyALzi.exe	cobalt_reflective_dll
C:\Windows\system\xbUOlJl.exe	cobalt_reflective_dll
\Windows\system\PaqYUkf.exe	cobalt_reflective_dll
\Windows\system\aqpPpyd.exe	cobalt_reflective_dll
\Windows\system\icdPYxE.exe	cobalt_reflective_dll
\Windows\system\NecneSf.exe	cobalt_reflective_dll
C:\Windows\system\aqpPpyd.exe	cobalt_reflective_dll
C:\Windows\system\icdPYxE.exe	cobalt_reflective_dll
C:\Windows\system\NecneSf.exe	cobalt_reflective_dll
\Windows\system\eRuaQAC.exe	cobalt_reflective_dll
C:\Windows\system\eRuaQAC.exe	cobalt_reflective_dll
\Windows\system\CddCaUV.exe	cobalt_reflective_dll
C:\Windows\system\CddCaUV.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
\Windows\system\TOeBpTF.exe	xmrig
C:\Windows\system\TOeBpTF.exe	xmrig
\Windows\system\AkKVlYd.exe	xmrig
C:\Windows\system\AkKVlYd.exe	xmrig
\Windows\system\OazPdnh.exe	xmrig
behavioral1/memory/1768-67-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
behavioral1/memory/1676-60-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
C:\Windows\system\zAUzkGk.exe	xmrig
\Windows\system\zAUzkGk.exe	xmrig
\Windows\system\QasHGMw.exe	xmrig
C:\Windows\system\OazPdnh.exe	xmrig
C:\Windows\system\UzKiRNY.exe	xmrig
\Windows\system\UzKiRNY.exe	xmrig
behavioral1/memory/696-77-0x000000013F840000-0x000000013FB94000-memory.dmp	xmrig
\Windows\system\YHybVfX.exe	xmrig
behavioral1/memory/1792-84-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
\Windows\system\VDPAFiU.exe	xmrig
C:\Windows\system\VDPAFiU.exe	xmrig
behavioral1/memory/1540-87-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
C:\Windows\system\YHybVfX.exe	xmrig
C:\Windows\system\BnQBrig.exe	xmrig
C:\Windows\system\QasHGMw.exe	xmrig
\Windows\system\BnQBrig.exe	xmrig
behavioral1/memory/544-96-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
\Windows\system\TkyJOPN.exe	xmrig
\Windows\system\cxUSolt.exe	xmrig
\Windows\system\rzMokXL.exe	xmrig
C:\Windows\system\TkyJOPN.exe	xmrig
behavioral1/memory/592-103-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
C:\Windows\system\rzMokXL.exe	xmrig
\Windows\system\NUyALzi.exe	xmrig
C:\Windows\system\hfCxQtV.exe	xmrig
\Windows\system\hfCxQtV.exe	xmrig
behavioral1/memory/1112-112-0x000000013F600000-0x000000013F954000-memory.dmp	xmrig
C:\Windows\system\cxUSolt.exe	xmrig
\Windows\system\xbUOlJl.exe	xmrig
C:\Windows\system\PaqYUkf.exe	xmrig
C:\Windows\system\NUyALzi.exe	xmrig
C:\Windows\system\xbUOlJl.exe	xmrig
\Windows\system\PaqYUkf.exe	xmrig
behavioral1/memory/1968-133-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
\Windows\system\aqpPpyd.exe	xmrig
\Windows\system\icdPYxE.exe	xmrig
behavioral1/memory/824-134-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
\Windows\system\NecneSf.exe	xmrig
C:\Windows\system\aqpPpyd.exe	xmrig
C:\Windows\system\icdPYxE.exe	xmrig
behavioral1/memory/576-143-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/772-144-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
C:\Windows\system\NecneSf.exe	xmrig
behavioral1/memory/1544-146-0x000000013FB80000-0x000000013FED4000-memory.dmp	xmrig
behavioral1/memory/1556-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/1592-148-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/852-149-0x000000013FEC0000-0x0000000140214000-memory.dmp	xmrig
behavioral1/memory/1164-150-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/1756-151-0x000000013FD10000-0x0000000140064000-memory.dmp	xmrig
behavioral1/memory/1704-152-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/memory/1052-153-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/1768-154-0x000000013F300000-0x000000013F654000-memory.dmp	xmrig
behavioral1/memory/1792-155-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
\Windows\system\eRuaQAC.exe	xmrig
C:\Windows\system\eRuaQAC.exe	xmrig
behavioral1/memory/1592-162-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
\Windows\system\CddCaUV.exe	xmrig

Executes dropped EXE 21 IoCs

Processes:

TOeBpTF.exeAkKVlYd.exezAUzkGk.exeOazPdnh.exeUzKiRNY.exeQasHGMw.exeVDPAFiU.exeYHybVfX.exeBnQBrig.exeTkyJOPN.exerzMokXL.execxUSolt.exehfCxQtV.exeNUyALzi.exePaqYUkf.exexbUOlJl.exeaqpPpyd.exeicdPYxE.exeNecneSf.exeeRuaQAC.exeCddCaUV.exe

pid	process
1768	TOeBpTF.exe
1592	AkKVlYd.exe
696	zAUzkGk.exe
1792	OazPdnh.exe
1540	UzKiRNY.exe
852	QasHGMw.exe
544	VDPAFiU.exe
592	YHybVfX.exe
1112	BnQBrig.exe
1164	TkyJOPN.exe
1968	rzMokXL.exe
1756	cxUSolt.exe
824	hfCxQtV.exe
1704	NUyALzi.exe
576	PaqYUkf.exe
772	xbUOlJl.exe
1544	aqpPpyd.exe
1556	icdPYxE.exe
1052	NecneSf.exe
1648	eRuaQAC.exe
588	CddCaUV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\TOeBpTF.exe	upx
C:\Windows\system\TOeBpTF.exe	upx
\Windows\system\AkKVlYd.exe	upx
C:\Windows\system\AkKVlYd.exe	upx
\Windows\system\OazPdnh.exe	upx
behavioral1/memory/1768-67-0x000000013F300000-0x000000013F654000-memory.dmp	upx
behavioral1/memory/1676-60-0x000000013F100000-0x000000013F454000-memory.dmp	upx
C:\Windows\system\zAUzkGk.exe	upx
\Windows\system\zAUzkGk.exe	upx
\Windows\system\QasHGMw.exe	upx
C:\Windows\system\OazPdnh.exe	upx
C:\Windows\system\UzKiRNY.exe	upx
\Windows\system\UzKiRNY.exe	upx
behavioral1/memory/696-77-0x000000013F840000-0x000000013FB94000-memory.dmp	upx
\Windows\system\YHybVfX.exe	upx
behavioral1/memory/1792-84-0x000000013F030000-0x000000013F384000-memory.dmp	upx
\Windows\system\VDPAFiU.exe	upx
C:\Windows\system\VDPAFiU.exe	upx
behavioral1/memory/1540-87-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
C:\Windows\system\YHybVfX.exe	upx
C:\Windows\system\BnQBrig.exe	upx
C:\Windows\system\QasHGMw.exe	upx
\Windows\system\BnQBrig.exe	upx
behavioral1/memory/544-96-0x000000013F100000-0x000000013F454000-memory.dmp	upx
\Windows\system\TkyJOPN.exe	upx
\Windows\system\cxUSolt.exe	upx
\Windows\system\rzMokXL.exe	upx
C:\Windows\system\TkyJOPN.exe	upx
behavioral1/memory/592-103-0x000000013F200000-0x000000013F554000-memory.dmp	upx
C:\Windows\system\rzMokXL.exe	upx
\Windows\system\NUyALzi.exe	upx
C:\Windows\system\hfCxQtV.exe	upx
\Windows\system\hfCxQtV.exe	upx
behavioral1/memory/1112-112-0x000000013F600000-0x000000013F954000-memory.dmp	upx
C:\Windows\system\cxUSolt.exe	upx
\Windows\system\xbUOlJl.exe	upx
C:\Windows\system\PaqYUkf.exe	upx
C:\Windows\system\NUyALzi.exe	upx
C:\Windows\system\xbUOlJl.exe	upx
\Windows\system\PaqYUkf.exe	upx
behavioral1/memory/1968-133-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
\Windows\system\aqpPpyd.exe	upx
\Windows\system\icdPYxE.exe	upx
behavioral1/memory/824-134-0x000000013F1F0000-0x000000013F544000-memory.dmp	upx
\Windows\system\NecneSf.exe	upx
C:\Windows\system\aqpPpyd.exe	upx
C:\Windows\system\icdPYxE.exe	upx
behavioral1/memory/576-143-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/772-144-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
C:\Windows\system\NecneSf.exe	upx
behavioral1/memory/1544-146-0x000000013FB80000-0x000000013FED4000-memory.dmp	upx
behavioral1/memory/1556-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/1592-148-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/852-149-0x000000013FEC0000-0x0000000140214000-memory.dmp	upx
behavioral1/memory/1164-150-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/1756-151-0x000000013FD10000-0x0000000140064000-memory.dmp	upx
behavioral1/memory/1704-152-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/memory/1052-153-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/1768-154-0x000000013F300000-0x000000013F654000-memory.dmp	upx
behavioral1/memory/1792-155-0x000000013F030000-0x000000013F384000-memory.dmp	upx
\Windows\system\eRuaQAC.exe	upx
C:\Windows\system\eRuaQAC.exe	upx
behavioral1/memory/1592-162-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
\Windows\system\CddCaUV.exe	upx

Loads dropped DLL 21 IoCs

Processes:

4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe

pid	process
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe

Drops file in Windows directory 21 IoCs

Processes:

4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe

description	ioc	process
File created	C:\Windows\System\TOeBpTF.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\QasHGMw.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\TkyJOPN.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\icdPYxE.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\VDPAFiU.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\rzMokXL.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\xbUOlJl.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\PaqYUkf.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\aqpPpyd.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\eRuaQAC.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\AkKVlYd.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\zAUzkGk.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\YHybVfX.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\BnQBrig.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\NUyALzi.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\hfCxQtV.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\NecneSf.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\OazPdnh.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\UzKiRNY.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\cxUSolt.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
File created	C:\Windows\System\CddCaUV.exe	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe

description	pid	process
Token: SeLockMemoryPrivilege	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
Token: SeLockMemoryPrivilege	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe

description	pid	process	target process
PID 1676 wrote to memory of 1768	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	TOeBpTF.exe
PID 1676 wrote to memory of 1768	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	TOeBpTF.exe
PID 1676 wrote to memory of 1768	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	TOeBpTF.exe
PID 1676 wrote to memory of 1592	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	AkKVlYd.exe
PID 1676 wrote to memory of 1592	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	AkKVlYd.exe
PID 1676 wrote to memory of 1592	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	AkKVlYd.exe
PID 1676 wrote to memory of 1792	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	OazPdnh.exe
PID 1676 wrote to memory of 1792	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	OazPdnh.exe
PID 1676 wrote to memory of 1792	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	OazPdnh.exe
PID 1676 wrote to memory of 696	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	zAUzkGk.exe
PID 1676 wrote to memory of 696	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	zAUzkGk.exe
PID 1676 wrote to memory of 696	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	zAUzkGk.exe
PID 1676 wrote to memory of 852	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	QasHGMw.exe
PID 1676 wrote to memory of 852	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	QasHGMw.exe
PID 1676 wrote to memory of 852	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	QasHGMw.exe
PID 1676 wrote to memory of 1540	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	UzKiRNY.exe
PID 1676 wrote to memory of 1540	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	UzKiRNY.exe
PID 1676 wrote to memory of 1540	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	UzKiRNY.exe
PID 1676 wrote to memory of 592	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	YHybVfX.exe
PID 1676 wrote to memory of 592	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	YHybVfX.exe
PID 1676 wrote to memory of 592	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	YHybVfX.exe
PID 1676 wrote to memory of 544	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	VDPAFiU.exe
PID 1676 wrote to memory of 544	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	VDPAFiU.exe
PID 1676 wrote to memory of 544	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	VDPAFiU.exe
PID 1676 wrote to memory of 1164	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	TkyJOPN.exe
PID 1676 wrote to memory of 1164	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	TkyJOPN.exe
PID 1676 wrote to memory of 1164	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	TkyJOPN.exe
PID 1676 wrote to memory of 1112	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	BnQBrig.exe
PID 1676 wrote to memory of 1112	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	BnQBrig.exe
PID 1676 wrote to memory of 1112	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	BnQBrig.exe
PID 1676 wrote to memory of 1756	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	cxUSolt.exe
PID 1676 wrote to memory of 1756	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	cxUSolt.exe
PID 1676 wrote to memory of 1756	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	cxUSolt.exe
PID 1676 wrote to memory of 1968	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	rzMokXL.exe
PID 1676 wrote to memory of 1968	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	rzMokXL.exe
PID 1676 wrote to memory of 1968	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	rzMokXL.exe
PID 1676 wrote to memory of 1704	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	NUyALzi.exe
PID 1676 wrote to memory of 1704	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	NUyALzi.exe
PID 1676 wrote to memory of 1704	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	NUyALzi.exe
PID 1676 wrote to memory of 824	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	hfCxQtV.exe
PID 1676 wrote to memory of 824	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	hfCxQtV.exe
PID 1676 wrote to memory of 824	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	hfCxQtV.exe
PID 1676 wrote to memory of 772	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	xbUOlJl.exe
PID 1676 wrote to memory of 772	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	xbUOlJl.exe
PID 1676 wrote to memory of 772	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	xbUOlJl.exe
PID 1676 wrote to memory of 576	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	PaqYUkf.exe
PID 1676 wrote to memory of 576	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	PaqYUkf.exe
PID 1676 wrote to memory of 576	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	PaqYUkf.exe
PID 1676 wrote to memory of 1556	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	icdPYxE.exe
PID 1676 wrote to memory of 1556	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	icdPYxE.exe
PID 1676 wrote to memory of 1556	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	icdPYxE.exe
PID 1676 wrote to memory of 1544	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	aqpPpyd.exe
PID 1676 wrote to memory of 1544	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	aqpPpyd.exe
PID 1676 wrote to memory of 1544	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	aqpPpyd.exe
PID 1676 wrote to memory of 1052	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	NecneSf.exe
PID 1676 wrote to memory of 1052	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	NecneSf.exe
PID 1676 wrote to memory of 1052	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	NecneSf.exe
PID 1676 wrote to memory of 1648	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	eRuaQAC.exe
PID 1676 wrote to memory of 1648	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	eRuaQAC.exe
PID 1676 wrote to memory of 1648	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	eRuaQAC.exe
PID 1676 wrote to memory of 588	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	CddCaUV.exe
PID 1676 wrote to memory of 588	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	CddCaUV.exe
PID 1676 wrote to memory of 588	1676	4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe	CddCaUV.exe

C:\Users\Admin\AppData\Local\Temp\4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe
"C:\Users\Admin\AppData\Local\Temp\4215e87e7c3338c0a28dc8923f0f17fae602d8d1005ea29bd4becafef4e5cdfb.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\System\TOeBpTF.exe
C:\Windows\System\TOeBpTF.exe
2⤵
- Executes dropped EXE
PID:1768

C:\Windows\System\AkKVlYd.exe
C:\Windows\System\AkKVlYd.exe
2⤵
- Executes dropped EXE
PID:1592

C:\Windows\System\OazPdnh.exe
C:\Windows\System\OazPdnh.exe
2⤵
- Executes dropped EXE
PID:1792

C:\Windows\System\zAUzkGk.exe
C:\Windows\System\zAUzkGk.exe
2⤵
- Executes dropped EXE
PID:696

C:\Windows\System\QasHGMw.exe
C:\Windows\System\QasHGMw.exe
2⤵
- Executes dropped EXE
PID:852

C:\Windows\System\UzKiRNY.exe
C:\Windows\System\UzKiRNY.exe
2⤵
- Executes dropped EXE
PID:1540

C:\Windows\System\YHybVfX.exe
C:\Windows\System\YHybVfX.exe
2⤵
- Executes dropped EXE
PID:592

C:\Windows\System\VDPAFiU.exe
C:\Windows\System\VDPAFiU.exe
2⤵
- Executes dropped EXE
PID:544

C:\Windows\System\TkyJOPN.exe
C:\Windows\System\TkyJOPN.exe
2⤵
- Executes dropped EXE
PID:1164

C:\Windows\System\BnQBrig.exe
C:\Windows\System\BnQBrig.exe
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\System\cxUSolt.exe
C:\Windows\System\cxUSolt.exe
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\System\rzMokXL.exe
C:\Windows\System\rzMokXL.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\System\NUyALzi.exe
C:\Windows\System\NUyALzi.exe
2⤵
- Executes dropped EXE
PID:1704

C:\Windows\System\hfCxQtV.exe
C:\Windows\System\hfCxQtV.exe
2⤵
- Executes dropped EXE
PID:824

C:\Windows\System\xbUOlJl.exe
C:\Windows\System\xbUOlJl.exe
2⤵
- Executes dropped EXE
PID:772

C:\Windows\System\PaqYUkf.exe
C:\Windows\System\PaqYUkf.exe
2⤵
- Executes dropped EXE
PID:576

C:\Windows\System\icdPYxE.exe
C:\Windows\System\icdPYxE.exe
2⤵
- Executes dropped EXE
PID:1556

C:\Windows\System\aqpPpyd.exe
C:\Windows\System\aqpPpyd.exe
2⤵
- Executes dropped EXE
PID:1544

C:\Windows\System\NecneSf.exe
C:\Windows\System\NecneSf.exe
2⤵
- Executes dropped EXE
PID:1052

C:\Windows\System\eRuaQAC.exe
C:\Windows\System\eRuaQAC.exe
2⤵
- Executes dropped EXE
PID:1648

C:\Windows\System\CddCaUV.exe
C:\Windows\System\CddCaUV.exe
2⤵
- Executes dropped EXE
PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AkKVlYd.exe
Filesize
5.9MB

MD5
2cda2ef04930189846bd977babf3786d

SHA1
9a0923bcc60c6455ecf08e9914d6ea60b7d4126a

SHA256
3fa2de253d4972c659f2defc83726ab01ce0d881f27cd9369fab216160a5c5ce

SHA512
8443ec59fafe25587034507582a62bd6bcc798b311ab159bbdbc1c5fe225e36c5ff8671f7a46d6b9414f618a67a579d5f3871e64483b6e8400f05f5ddf60398c

Download Submit
C:\Windows\system\BnQBrig.exe
Filesize
5.9MB

MD5
8fd2865e522c6cb97a894865e2f8699e

SHA1
9657d4bd59db7808eddc1008059b9916d52b2307

SHA256
47e09bcef1d5d97bf894702daa4799308f8b6798a95be32ddd93cfb469d56f08

SHA512
8754e71fa312b1ad9ac3b546ceff3ba35a5ea8fdcc5bf725dc321262d151b1e0260e4da6f34192a93c69f9272d16902ae7baf181f7e1f3f568c0c5c66f03d20a

Download Submit
C:\Windows\system\CddCaUV.exe
Filesize
5.9MB

MD5
67d64cc1b20e5378d155f5a69f6462fc

SHA1
9d50fb8a9fccbc32ca14aff95af3e64474073bd9

SHA256
87424be74e74281b010474fc734a0465cea7a1752908cba5bb8e7879e7a8c6a1

SHA512
b0222bfd62aaca4f2ddfca6b6017ce6efcb8682c84c2fb97cd33c2f63a58cb39aad4107af541e5ba04bbaa37311e341c51ccda3ea019667ee604301048593404

Download Submit
C:\Windows\system\NUyALzi.exe
Filesize
5.9MB

MD5
816bb4c622f0c12f543df2c2d39ab275

SHA1
72a51428a497803acf5d971a803697947caf789e

SHA256
678e6ee138fc40d52d2ff9f3cbd54b0d196ad9fe7bf2a2f01a14fef2cb5c3f2f

SHA512
2166ac75b8ea1c6ef742daf4e0d75af87a8a2d787cb13f60cfc98f353f2b286b5ea76da9078d99062019236eaac8adde67e23f5c4ab3ce9337521af1ee8bfeae

Download Submit
C:\Windows\system\NecneSf.exe
Filesize
5.9MB

MD5
6f4b0367122f939c1747b855e60addba

SHA1
a627a20a748f58b777fbaf3c0fe74083c5418c19

SHA256
c2bcceb082c5c263d639e74c5f1e904ad480f2d84a0be08916f5da9cbb8cc0ae

SHA512
edf8b4b17c02c9b8763255b9a3a911be82f9f85948409889acb358fc1f9ae951be7bfbccebf99599eb9c917d5b8a05a6654328c808deaae3037acc60a243f466

Download Submit
C:\Windows\system\OazPdnh.exe
Filesize
5.9MB

MD5
4beaafe0b037c5863215115d8af5a349

SHA1
ac8f354c4f237a5328e468587fe2670dc5c20618

SHA256
56a9d96bd949a0cb1e0113d3c2085c7afd3f4823b60da520f0b6bfc9ca32ca65

SHA512
6a2e0ec598d7b6198de5205e84640467ad5ab0537506fc8d8dcbda17102720a128b8128ebc9b8dfeee543f0cd50120c07c7fe8de5f2caa9ad75fded2ae071b3d

Download Submit
C:\Windows\system\PaqYUkf.exe
Filesize
5.9MB

MD5
5bfb91d6d87fd07d88245799d8206821

SHA1
2cf45a9c3433ff19669e5ce4fb92bcb27e833e71

SHA256
36d994cddf4bc23a9619f9a72db56df2ff4dd9c71772b5aa01484f58830091ba

SHA512
8a6a104224bc85d13a4d19acfc3179c30a3bc76cbefa8b3f73a4153200847665ce42d3ff8469f735e4da031d3ec4fa3aa549ba373237a178e7441ce7950b8fe8

Download Submit
C:\Windows\system\QasHGMw.exe
Filesize
5.9MB

MD5
1986ab1cef358afc67b53bbde0ee9821

SHA1
6aabae0e7d7752a4a08604a3cda086afafe41e14

SHA256
3470ac3ae101a68dce7cce6350b6fc2adaf2904a7481d04dddd0d63b7f862472

SHA512
557240243a0a5e218d40f0c56220fcb6f40c8f85df35ef5f64965e38084f3ac98036d9998f94d32ae7c4528c19b28a44afaeebe64999ae2480b94a4fb63914db

Download Submit
C:\Windows\system\TOeBpTF.exe
Filesize
5.9MB

MD5
c16bb6234c66ca1f3d9d92dfe9231aad

SHA1
35c8aa47c8da277494a5c105594c7bf862e9c085

SHA256
3a1ec1b6f59d92fce8583cfdab89824278d6ceb00331b286042dc41a2c610ba5

SHA512
97d15c9896676ef7039efc8cdd428d6cd8e6340da15c8d99b6024d012c8d05e01366cddb18e12d55d8c8e08bf4fd5d706a0c7c0c5b5c53a4ca2e8a0678e72c05

Download Submit
C:\Windows\system\TkyJOPN.exe
Filesize
5.9MB

MD5
b30314fe09cf25ef67811824d77f3653

SHA1
3dce613f9c065a925eac7e74fece85563b577369

SHA256
86bf6ce53048485f637522f97a58e373779b30f50e56e6c4ab58bcf0acc465e9

SHA512
53e2c9ad916811a95c5db1c59cfb709c090359eb96b3b34fede8f6005c75e00b06e2bd265efa571b73645f62f9f67c59e10bed2bd5e69ce6f27c80ef7b5b8b3e

Download Submit
C:\Windows\system\UzKiRNY.exe
Filesize
5.9MB

MD5
addf7ae604ad83db029a5b4ca8427d86

SHA1
734e9644a2cb28e619e6724e4b77d099189b33c8

SHA256
13b773198386f71d98e88858ba9957824d568794356b106181532faac6f0d3e6

SHA512
125fea26b14fba5bc86b60ba81af52d20627967c123c0ab798f51b741282710a6502ba4978e6d3b4f84f50262218f6bf552a5c3bbc41d46765809d459b1219f0

Download Submit
C:\Windows\system\VDPAFiU.exe
Filesize
5.9MB

MD5
b0c5bd6072943ac4df44d558bbf6a28b

SHA1
c873c44f02cb5698583ae22ab0dc813e6a24ee5b

SHA256
6d43e079396de1b479363f3745a37db84ab80aa9c9e1354f9acfa6777291ccf4

SHA512
378fcb3dffc165de98737248f0581d5604ba72b53bd330c920f0ff1dfc14f70697b00a8bbec77dd92f55a50591b282ab58b72e212ca488f765dd91d6deff38a2

Download Submit
C:\Windows\system\YHybVfX.exe
Filesize
5.9MB

MD5
6df034eec2e41c5904cd4bad68b2bdb4

SHA1
e9044510fbe41a1e8150a77678a511b77c7c1c82

SHA256
5a2411b7dbe1828c6f7b030ddc0caddb2dce32d04436af8abd46d128706d177a

SHA512
602262b7a1f606d7ce995de5e7d0fd72ecea985af8902beda1d063a51cbed18ce1ff3def8522d3f833f5fdb819b85d4b86e63759ae1ee0414f364efceba2485a

Download Submit
C:\Windows\system\aqpPpyd.exe
Filesize
5.9MB

MD5
3e41c90ea214ef825ede705b3fafa9ff

SHA1
afc5ff766534986f44995404f222b9b8a4b43979

SHA256
3b8c778167c9518b4b4e3f37aa85ec27d432225dadd0d6440d2c1274f4f5f316

SHA512
cb385fb5e91605bcdaaedab09d2cc36f95a2e2ad3dca24dc67a78f2c54a742cb20a5eca7df889a58d9546c8cab1f684239cf1e3304cc86e7e00c78eed40a17b7

Download Submit
C:\Windows\system\cxUSolt.exe
Filesize
5.9MB

MD5
ed61fe743cbd3c914d4e6ea1e458ebb0

SHA1
55bd8185c10674916432101c52edacbbce7c20b4

SHA256
08ff28b75fde04d41b1818a151f47a022c9f02a3656149a87714f84a4f12739d

SHA512
bb9a77210725a50919ef8c5308715acfd35ffb9561ba4215f1f350822ec9a49dfaa6de8daa687df7fbcec4ba3ad689a18172c528cc7ccd01c8270e0d1dbbf981

Download Submit
C:\Windows\system\eRuaQAC.exe
Filesize
5.9MB

MD5
29674d5071815b8dc279361a0a895b24

SHA1
83ccb881d7498076f3ba1d2e958083cb06d058f6

SHA256
d74c79f7e2b33bc57f71e168d898d21416c0da80575e8b13d75c8b5c9b0decc3

SHA512
c92fbf05b49945c73cb480d826839ce03ffacf5997667281cbc0302bf698d9e44721a11b8d418080773161a00cb0930d7fe5ef9f1bc2bc528980ed61b7cf88c8

Download Submit
C:\Windows\system\hfCxQtV.exe
Filesize
5.9MB

MD5
b6fa11d3a3617fbce95431069c9943f1

SHA1
6c88c988486022cdc19b1f10c8bcc3e3d7161fbc

SHA256
f20f6be7e7cd93aa2208ee1328c4396cb166e39de3da98c44e1ef43ad52de981

SHA512
a96e9baee3bc74bef44a63c1e49cdcda2a9e976f21f927705f69df7a49421bffc2fad7d014b4a498788d9376609b461a33a33d97eb28b7809fd808d94f63f81b

Download Submit
C:\Windows\system\icdPYxE.exe
Filesize
5.9MB

MD5
81d08624290cefd3c0cb72ceab4f96fe

SHA1
5413bdc677b4844fd1b9030db4d7f5a277a80557

SHA256
0487f40a710860fbb7d64aa094b06f12465ac519f6904f06bd2dd93bcde580ca

SHA512
1bf05785e34c93bba3120e88c9083e8565fb7dbf2009505379575079f821aab06bcd5e3121422a6a7569206d59cc3d068c87ef8452048ddb82cca7f0534cd558

Download Submit
C:\Windows\system\rzMokXL.exe
Filesize
5.9MB

MD5
30051a9486f4762c5f8b4786327e1a1c

SHA1
d1246aa15502a5b59a352636b7f4d3a19025c4f4

SHA256
3338154e1ac281f4c94980214813808079fd8f0fb0dea8e95d06e4f18e00cc1c

SHA512
f77afd7a7c24df2fab19f3ef577c4e23943be89d76fcfadaf1fad2b0a3507901e529ace8a48202a934bae6bf4de82a1af88f429068c2ddeb64b156ee0e02c13a

Download Submit
C:\Windows\system\xbUOlJl.exe
Filesize
5.9MB

MD5
cfe54eb4754608675c62f3292f54ebb9

SHA1
19f0bf4dd90d81776dacb14a07758726af18e9df

SHA256
81a9ae318d0b10f18fab36a73825921aa1dcfa386b6d0b317cc89694cdb781b4

SHA512
059fc5cde34aca389ea0ee38789f9c1cce9616d6604038c4ac890fd8132b7519267bcf43d4ec5b79c0cf96fc0c1465da76426c166f3b356bcf6d8370ac9a480c

Download Submit
C:\Windows\system\zAUzkGk.exe
Filesize
5.9MB

MD5
46cbdc08437fdfe546ef21cb5b254e1a

SHA1
5850ac4320acd10831aa194563f82c83d8084b4d

SHA256
f42d505e2b55f6154119b94ad7820f4922a225ba01ac6ef5ab63f677ffebb89c

SHA512
30d5c857bbc7f0ab5b94b811c2a77e40460e20fa50dec73b272c677a574c163b8b49df891d8a5cf20acb57d98afbe01ccbc646320cbeb4d3b0a08867a0b014c9

Download Submit
\Windows\system\AkKVlYd.exe
Filesize
5.9MB

MD5
2cda2ef04930189846bd977babf3786d

SHA1
9a0923bcc60c6455ecf08e9914d6ea60b7d4126a

SHA256
3fa2de253d4972c659f2defc83726ab01ce0d881f27cd9369fab216160a5c5ce

SHA512
8443ec59fafe25587034507582a62bd6bcc798b311ab159bbdbc1c5fe225e36c5ff8671f7a46d6b9414f618a67a579d5f3871e64483b6e8400f05f5ddf60398c

Download Submit
\Windows\system\BnQBrig.exe
Filesize
5.9MB

MD5
8fd2865e522c6cb97a894865e2f8699e

SHA1
9657d4bd59db7808eddc1008059b9916d52b2307

SHA256
47e09bcef1d5d97bf894702daa4799308f8b6798a95be32ddd93cfb469d56f08

SHA512
8754e71fa312b1ad9ac3b546ceff3ba35a5ea8fdcc5bf725dc321262d151b1e0260e4da6f34192a93c69f9272d16902ae7baf181f7e1f3f568c0c5c66f03d20a

Download Submit
\Windows\system\CddCaUV.exe
Filesize
5.9MB

MD5
67d64cc1b20e5378d155f5a69f6462fc

SHA1
9d50fb8a9fccbc32ca14aff95af3e64474073bd9

SHA256
87424be74e74281b010474fc734a0465cea7a1752908cba5bb8e7879e7a8c6a1

SHA512
b0222bfd62aaca4f2ddfca6b6017ce6efcb8682c84c2fb97cd33c2f63a58cb39aad4107af541e5ba04bbaa37311e341c51ccda3ea019667ee604301048593404

Download Submit
\Windows\system\NUyALzi.exe
Filesize
5.9MB

MD5
816bb4c622f0c12f543df2c2d39ab275

SHA1
72a51428a497803acf5d971a803697947caf789e

SHA256
678e6ee138fc40d52d2ff9f3cbd54b0d196ad9fe7bf2a2f01a14fef2cb5c3f2f

SHA512
2166ac75b8ea1c6ef742daf4e0d75af87a8a2d787cb13f60cfc98f353f2b286b5ea76da9078d99062019236eaac8adde67e23f5c4ab3ce9337521af1ee8bfeae

Download Submit
\Windows\system\NecneSf.exe
Filesize
5.9MB

MD5
6f4b0367122f939c1747b855e60addba

SHA1
a627a20a748f58b777fbaf3c0fe74083c5418c19

SHA256
c2bcceb082c5c263d639e74c5f1e904ad480f2d84a0be08916f5da9cbb8cc0ae

SHA512
edf8b4b17c02c9b8763255b9a3a911be82f9f85948409889acb358fc1f9ae951be7bfbccebf99599eb9c917d5b8a05a6654328c808deaae3037acc60a243f466

Download Submit
\Windows\system\OazPdnh.exe
Filesize
5.9MB

MD5
4beaafe0b037c5863215115d8af5a349

SHA1
ac8f354c4f237a5328e468587fe2670dc5c20618

SHA256
56a9d96bd949a0cb1e0113d3c2085c7afd3f4823b60da520f0b6bfc9ca32ca65

SHA512
6a2e0ec598d7b6198de5205e84640467ad5ab0537506fc8d8dcbda17102720a128b8128ebc9b8dfeee543f0cd50120c07c7fe8de5f2caa9ad75fded2ae071b3d

Download Submit
\Windows\system\PaqYUkf.exe
Filesize
5.9MB

MD5
5bfb91d6d87fd07d88245799d8206821

SHA1
2cf45a9c3433ff19669e5ce4fb92bcb27e833e71

SHA256
36d994cddf4bc23a9619f9a72db56df2ff4dd9c71772b5aa01484f58830091ba

SHA512
8a6a104224bc85d13a4d19acfc3179c30a3bc76cbefa8b3f73a4153200847665ce42d3ff8469f735e4da031d3ec4fa3aa549ba373237a178e7441ce7950b8fe8

Download Submit
\Windows\system\QasHGMw.exe
Filesize
5.9MB

MD5
1986ab1cef358afc67b53bbde0ee9821

SHA1
6aabae0e7d7752a4a08604a3cda086afafe41e14

SHA256
3470ac3ae101a68dce7cce6350b6fc2adaf2904a7481d04dddd0d63b7f862472

SHA512
557240243a0a5e218d40f0c56220fcb6f40c8f85df35ef5f64965e38084f3ac98036d9998f94d32ae7c4528c19b28a44afaeebe64999ae2480b94a4fb63914db

Download Submit
\Windows\system\TOeBpTF.exe
Filesize
5.9MB

MD5
c16bb6234c66ca1f3d9d92dfe9231aad

SHA1
35c8aa47c8da277494a5c105594c7bf862e9c085

SHA256
3a1ec1b6f59d92fce8583cfdab89824278d6ceb00331b286042dc41a2c610ba5

SHA512
97d15c9896676ef7039efc8cdd428d6cd8e6340da15c8d99b6024d012c8d05e01366cddb18e12d55d8c8e08bf4fd5d706a0c7c0c5b5c53a4ca2e8a0678e72c05

Download Submit
\Windows\system\TkyJOPN.exe
Filesize
5.9MB

MD5
b30314fe09cf25ef67811824d77f3653

SHA1
3dce613f9c065a925eac7e74fece85563b577369

SHA256
86bf6ce53048485f637522f97a58e373779b30f50e56e6c4ab58bcf0acc465e9

SHA512
53e2c9ad916811a95c5db1c59cfb709c090359eb96b3b34fede8f6005c75e00b06e2bd265efa571b73645f62f9f67c59e10bed2bd5e69ce6f27c80ef7b5b8b3e

Download Submit
\Windows\system\UzKiRNY.exe
Filesize
5.9MB

MD5
addf7ae604ad83db029a5b4ca8427d86

SHA1
734e9644a2cb28e619e6724e4b77d099189b33c8

SHA256
13b773198386f71d98e88858ba9957824d568794356b106181532faac6f0d3e6

SHA512
125fea26b14fba5bc86b60ba81af52d20627967c123c0ab798f51b741282710a6502ba4978e6d3b4f84f50262218f6bf552a5c3bbc41d46765809d459b1219f0

Download Submit
\Windows\system\VDPAFiU.exe
Filesize
5.9MB

MD5
b0c5bd6072943ac4df44d558bbf6a28b

SHA1
c873c44f02cb5698583ae22ab0dc813e6a24ee5b

SHA256
6d43e079396de1b479363f3745a37db84ab80aa9c9e1354f9acfa6777291ccf4

SHA512
378fcb3dffc165de98737248f0581d5604ba72b53bd330c920f0ff1dfc14f70697b00a8bbec77dd92f55a50591b282ab58b72e212ca488f765dd91d6deff38a2

Download Submit
\Windows\system\YHybVfX.exe
Filesize
5.9MB

MD5
6df034eec2e41c5904cd4bad68b2bdb4

SHA1
e9044510fbe41a1e8150a77678a511b77c7c1c82

SHA256
5a2411b7dbe1828c6f7b030ddc0caddb2dce32d04436af8abd46d128706d177a

SHA512
602262b7a1f606d7ce995de5e7d0fd72ecea985af8902beda1d063a51cbed18ce1ff3def8522d3f833f5fdb819b85d4b86e63759ae1ee0414f364efceba2485a

Download Submit
\Windows\system\aqpPpyd.exe
Filesize
5.9MB

MD5
3e41c90ea214ef825ede705b3fafa9ff

SHA1
afc5ff766534986f44995404f222b9b8a4b43979

SHA256
3b8c778167c9518b4b4e3f37aa85ec27d432225dadd0d6440d2c1274f4f5f316

SHA512
cb385fb5e91605bcdaaedab09d2cc36f95a2e2ad3dca24dc67a78f2c54a742cb20a5eca7df889a58d9546c8cab1f684239cf1e3304cc86e7e00c78eed40a17b7

Download Submit
\Windows\system\cxUSolt.exe
Filesize
5.9MB

MD5
ed61fe743cbd3c914d4e6ea1e458ebb0

SHA1
55bd8185c10674916432101c52edacbbce7c20b4

SHA256
08ff28b75fde04d41b1818a151f47a022c9f02a3656149a87714f84a4f12739d

SHA512
bb9a77210725a50919ef8c5308715acfd35ffb9561ba4215f1f350822ec9a49dfaa6de8daa687df7fbcec4ba3ad689a18172c528cc7ccd01c8270e0d1dbbf981

Download Submit
\Windows\system\eRuaQAC.exe
Filesize
5.9MB

MD5
29674d5071815b8dc279361a0a895b24

SHA1
83ccb881d7498076f3ba1d2e958083cb06d058f6

SHA256
d74c79f7e2b33bc57f71e168d898d21416c0da80575e8b13d75c8b5c9b0decc3

SHA512
c92fbf05b49945c73cb480d826839ce03ffacf5997667281cbc0302bf698d9e44721a11b8d418080773161a00cb0930d7fe5ef9f1bc2bc528980ed61b7cf88c8

Download Submit
\Windows\system\hfCxQtV.exe
Filesize
5.9MB

MD5
b6fa11d3a3617fbce95431069c9943f1

SHA1
6c88c988486022cdc19b1f10c8bcc3e3d7161fbc

SHA256
f20f6be7e7cd93aa2208ee1328c4396cb166e39de3da98c44e1ef43ad52de981

SHA512
a96e9baee3bc74bef44a63c1e49cdcda2a9e976f21f927705f69df7a49421bffc2fad7d014b4a498788d9376609b461a33a33d97eb28b7809fd808d94f63f81b

Download Submit
\Windows\system\icdPYxE.exe
Filesize
5.9MB

MD5
81d08624290cefd3c0cb72ceab4f96fe

SHA1
5413bdc677b4844fd1b9030db4d7f5a277a80557

SHA256
0487f40a710860fbb7d64aa094b06f12465ac519f6904f06bd2dd93bcde580ca

SHA512
1bf05785e34c93bba3120e88c9083e8565fb7dbf2009505379575079f821aab06bcd5e3121422a6a7569206d59cc3d068c87ef8452048ddb82cca7f0534cd558

Download Submit
\Windows\system\rzMokXL.exe
Filesize
5.9MB

MD5
30051a9486f4762c5f8b4786327e1a1c

SHA1
d1246aa15502a5b59a352636b7f4d3a19025c4f4

SHA256
3338154e1ac281f4c94980214813808079fd8f0fb0dea8e95d06e4f18e00cc1c

SHA512
f77afd7a7c24df2fab19f3ef577c4e23943be89d76fcfadaf1fad2b0a3507901e529ace8a48202a934bae6bf4de82a1af88f429068c2ddeb64b156ee0e02c13a

Download Submit
\Windows\system\xbUOlJl.exe
Filesize
5.9MB

MD5
cfe54eb4754608675c62f3292f54ebb9

SHA1
19f0bf4dd90d81776dacb14a07758726af18e9df

SHA256
81a9ae318d0b10f18fab36a73825921aa1dcfa386b6d0b317cc89694cdb781b4

SHA512
059fc5cde34aca389ea0ee38789f9c1cce9616d6604038c4ac890fd8132b7519267bcf43d4ec5b79c0cf96fc0c1465da76426c166f3b356bcf6d8370ac9a480c

Download Submit
\Windows\system\zAUzkGk.exe
Filesize
5.9MB

MD5
46cbdc08437fdfe546ef21cb5b254e1a

SHA1
5850ac4320acd10831aa194563f82c83d8084b4d

SHA256
f42d505e2b55f6154119b94ad7820f4922a225ba01ac6ef5ab63f677ffebb89c

SHA512
30d5c857bbc7f0ab5b94b811c2a77e40460e20fa50dec73b272c677a574c163b8b49df891d8a5cf20acb57d98afbe01ccbc646320cbeb4d3b0a08867a0b014c9

Download Submit
memory/544-89-0x0000000000000000-mapping.dmp

Download
memory/544-175-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/544-96-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/576-126-0x0000000000000000-mapping.dmp

Download
memory/576-143-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/576-183-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/588-164-0x0000000000000000-mapping.dmp

Download
memory/588-174-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/588-191-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/592-178-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/592-103-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/592-83-0x0000000000000000-mapping.dmp

Download
memory/696-171-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/696-70-0x0000000000000000-mapping.dmp

Download
memory/696-77-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/772-144-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/772-120-0x0000000000000000-mapping.dmp

Download
memory/824-116-0x0000000000000000-mapping.dmp

Download
memory/824-181-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/824-134-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/852-149-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/852-176-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/852-74-0x0000000000000000-mapping.dmp

Download
memory/1052-139-0x0000000000000000-mapping.dmp

Download
memory/1052-153-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/1052-189-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/1112-112-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/1112-177-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/1112-98-0x0000000000000000-mapping.dmp

Download
memory/1164-93-0x0000000000000000-mapping.dmp

Download
memory/1164-179-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/1164-150-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/1540-79-0x0000000000000000-mapping.dmp

Download
memory/1540-172-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/1540-87-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/1544-185-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/1544-146-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/1544-136-0x0000000000000000-mapping.dmp

Download
memory/1556-186-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1556-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1556-132-0x0000000000000000-mapping.dmp

Download
memory/1592-148-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/1592-59-0x0000000000000000-mapping.dmp

Download
memory/1592-162-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/1648-190-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/1648-159-0x0000000000000000-mapping.dmp

Download
memory/1648-170-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/1676-121-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download
memory/1676-54-0x0000000001B20000-0x0000000001B30000-memory.dmp

Filesize
64KB

Download
memory/1676-167-0x0000000002250000-0x00000000025A4000-memory.dmp

Filesize
3.3MB

Download
memory/1676-64-0x0000000002250000-0x00000000025A4000-memory.dmp

Filesize
3.3MB

Download
memory/1676-60-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1676-188-0x0000000002250000-0x00000000025A4000-memory.dmp

Filesize
3.3MB

Download
memory/1676-68-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/1676-187-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/1676-124-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/1676-165-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/1676-156-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/1704-184-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/1704-110-0x0000000000000000-mapping.dmp

Download
memory/1704-152-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/1756-102-0x0000000000000000-mapping.dmp

Download
memory/1756-151-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download
memory/1756-182-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download
memory/1768-67-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/1768-154-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/1768-56-0x0000000000000000-mapping.dmp

Download
memory/1768-166-0x000000013F300000-0x000000013F654000-memory.dmp

Filesize
3.3MB

Download
memory/1792-155-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/1792-173-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/1792-66-0x0000000000000000-mapping.dmp

Download
memory/1792-84-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/1968-180-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/1968-107-0x0000000000000000-mapping.dmp

Download
memory/1968-133-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download