darkcomet | 4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO091K43Z9.exe
Size

1.9MB
MD5

543dc2f0c0753a513107e1a927ae99d5
SHA1

d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0
SHA256

4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470
SHA512

7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9
SSDEEP

49152:NezI7YEYMFigIlrrVdp7CEmUxvKAfOi/6hH13:ECjOrTAoHmi/E

Score

10^/10

darkcomet nanocore febuary 2023 evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

FEBUARY 2023

mjosh6995.ddns.net:55665

Mutex

DC_MUTEX-S83UYVQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
TYztkTZwyasi
install
true
offline_keylogger
true
persistence
true
reg_key
chrome

Extracted

Family

nanocore

Version

1.2.2.0

lisajennyjohn.ddns.net:22233

mjosh6995.ddns.net:22233

Mutex

be639d6f-221e-4487-9b18-8bcd5185dfbf

Attributes

activate_away_mode
true
backup_connection_host
mjosh6995.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-12-08T16:24:55.881679736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
22233
default_group
FEBUARY 2023
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
be639d6f-221e-4487-9b18-8bcd5185dfbf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
lisajennyjohn.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

PO091K43Z9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	PO091K43Z9.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1392 attrib.exe
1156 attrib.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1588 notepad.exe
Executes dropped EXE 4 IoCs

Processes:

STUB01.EXEmsdcsc.exemsdcsc.exeSTUB01.EXE

pid process

1944 STUB01.EXE
1388 msdcsc.exe
1732 msdcsc.exe
1520 STUB01.EXE
Loads dropped DLL 6 IoCs

Processes:

PO091K43Z9.exemsdcsc.exe

pid process

684 PO091K43Z9.exe
684 PO091K43Z9.exe
684 PO091K43Z9.exe
684 PO091K43Z9.exe
1732 msdcsc.exe
1732 msdcsc.exe

pid	process
1392	attrib.exe
1156	attrib.exe

pid	process
1588	notepad.exe

pid	process
1944	STUB01.EXE
1388	msdcsc.exe
1732	msdcsc.exe
1520	STUB01.EXE

pid	process
684	PO091K43Z9.exe
684	PO091K43Z9.exe
684	PO091K43Z9.exe
684	PO091K43Z9.exe
1732	msdcsc.exe
1732	msdcsc.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

STUB01.EXEmsdcsc.exePO091K43Z9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Monitor = "C:\\Program Files (x86)\\ISS Monitor\\issmon.exe"	STUB01.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	PO091K43Z9.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

STUB01.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA STUB01.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	STUB01.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

PO091K43Z9.exemsdcsc.exe

description	pid	process	target process
PID 1540 set thread context of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1388 set thread context of 1732	1388	msdcsc.exe	msdcsc.exe

Drops file in Program Files directory 2 IoCs

Processes:

STUB01.EXE

description	ioc	process
File created	C:\Program Files (x86)\ISS Monitor\issmon.exe	STUB01.EXE
File opened for modification	C:\Program Files (x86)\ISS Monitor\issmon.exe	STUB01.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1992 schtasks.exe
1972 schtasks.exe
1660 schtasks.exe
1736 schtasks.exe

pid	process
1992	schtasks.exe
1972	schtasks.exe
1660	schtasks.exe
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

PO091K43Z9.exepowershell.exepowershell.exeSTUB01.EXEmsdcsc.exepowershell.exepowershell.exe

pid	process
1540	PO091K43Z9.exe
1540	PO091K43Z9.exe
1540	PO091K43Z9.exe
1540	PO091K43Z9.exe
1540	PO091K43Z9.exe
1540	PO091K43Z9.exe
1540	PO091K43Z9.exe
1540	PO091K43Z9.exe
1508	powershell.exe
1516	powershell.exe
1944	STUB01.EXE
1944	STUB01.EXE
1944	STUB01.EXE
1944	STUB01.EXE
1944	STUB01.EXE
1944	STUB01.EXE
1388	msdcsc.exe
1388	msdcsc.exe
1388	msdcsc.exe
1388	msdcsc.exe
1388	msdcsc.exe
1388	msdcsc.exe
1388	msdcsc.exe
1156	powershell.exe
872	powershell.exe
1388	msdcsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

STUB01.EXE

pid process

1944 STUB01.EXE

pid	process
1944	STUB01.EXE

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

PO091K43Z9.exepowershell.exepowershell.exePO091K43Z9.exeSTUB01.EXEmsdcsc.exepowershell.exepowershell.exemsdcsc.exe

description	pid	process
Token: SeDebugPrivilege	1540	PO091K43Z9.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeIncreaseQuotaPrivilege	684	PO091K43Z9.exe
Token: SeSecurityPrivilege	684	PO091K43Z9.exe
Token: SeTakeOwnershipPrivilege	684	PO091K43Z9.exe
Token: SeLoadDriverPrivilege	684	PO091K43Z9.exe
Token: SeSystemProfilePrivilege	684	PO091K43Z9.exe
Token: SeSystemtimePrivilege	684	PO091K43Z9.exe
Token: SeProfSingleProcessPrivilege	684	PO091K43Z9.exe
Token: SeIncBasePriorityPrivilege	684	PO091K43Z9.exe
Token: SeCreatePagefilePrivilege	684	PO091K43Z9.exe
Token: SeBackupPrivilege	684	PO091K43Z9.exe
Token: SeRestorePrivilege	684	PO091K43Z9.exe
Token: SeShutdownPrivilege	684	PO091K43Z9.exe
Token: SeDebugPrivilege	684	PO091K43Z9.exe
Token: SeSystemEnvironmentPrivilege	684	PO091K43Z9.exe
Token: SeChangeNotifyPrivilege	684	PO091K43Z9.exe
Token: SeRemoteShutdownPrivilege	684	PO091K43Z9.exe
Token: SeUndockPrivilege	684	PO091K43Z9.exe
Token: SeManageVolumePrivilege	684	PO091K43Z9.exe
Token: SeImpersonatePrivilege	684	PO091K43Z9.exe
Token: SeCreateGlobalPrivilege	684	PO091K43Z9.exe
Token: 33	684	PO091K43Z9.exe
Token: 34	684	PO091K43Z9.exe
Token: 35	684	PO091K43Z9.exe
Token: SeDebugPrivilege	1944	STUB01.EXE
Token: SeDebugPrivilege	1388	msdcsc.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeIncreaseQuotaPrivilege	1732	msdcsc.exe
Token: SeSecurityPrivilege	1732	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1732	msdcsc.exe
Token: SeLoadDriverPrivilege	1732	msdcsc.exe
Token: SeSystemProfilePrivilege	1732	msdcsc.exe
Token: SeSystemtimePrivilege	1732	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1732	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1732	msdcsc.exe
Token: SeCreatePagefilePrivilege	1732	msdcsc.exe
Token: SeBackupPrivilege	1732	msdcsc.exe
Token: SeRestorePrivilege	1732	msdcsc.exe
Token: SeShutdownPrivilege	1732	msdcsc.exe
Token: SeDebugPrivilege	1732	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1732	msdcsc.exe
Token: SeChangeNotifyPrivilege	1732	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1732	msdcsc.exe
Token: SeUndockPrivilege	1732	msdcsc.exe
Token: SeManageVolumePrivilege	1732	msdcsc.exe
Token: SeImpersonatePrivilege	1732	msdcsc.exe
Token: SeCreateGlobalPrivilege	1732	msdcsc.exe
Token: 33	1732	msdcsc.exe
Token: 34	1732	msdcsc.exe
Token: 35	1732	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1732 msdcsc.exe

pid	process
1732	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PO091K43Z9.exePO091K43Z9.execmd.execmd.exeSTUB01.EXE

description	pid	process	target process
PID 1540 wrote to memory of 1508	1540	PO091K43Z9.exe	powershell.exe
PID 1540 wrote to memory of 1508	1540	PO091K43Z9.exe	powershell.exe
PID 1540 wrote to memory of 1508	1540	PO091K43Z9.exe	powershell.exe
PID 1540 wrote to memory of 1508	1540	PO091K43Z9.exe	powershell.exe
PID 1540 wrote to memory of 1516	1540	PO091K43Z9.exe	powershell.exe
PID 1540 wrote to memory of 1516	1540	PO091K43Z9.exe	powershell.exe
PID 1540 wrote to memory of 1516	1540	PO091K43Z9.exe	powershell.exe
PID 1540 wrote to memory of 1516	1540	PO091K43Z9.exe	powershell.exe
PID 1540 wrote to memory of 1972	1540	PO091K43Z9.exe	schtasks.exe
PID 1540 wrote to memory of 1972	1540	PO091K43Z9.exe	schtasks.exe
PID 1540 wrote to memory of 1972	1540	PO091K43Z9.exe	schtasks.exe
PID 1540 wrote to memory of 1972	1540	PO091K43Z9.exe	schtasks.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 1540 wrote to memory of 684	1540	PO091K43Z9.exe	PO091K43Z9.exe
PID 684 wrote to memory of 1748	684	PO091K43Z9.exe	cmd.exe
PID 684 wrote to memory of 1748	684	PO091K43Z9.exe	cmd.exe
PID 684 wrote to memory of 1748	684	PO091K43Z9.exe	cmd.exe
PID 684 wrote to memory of 1748	684	PO091K43Z9.exe	cmd.exe
PID 684 wrote to memory of 2024	684	PO091K43Z9.exe	cmd.exe
PID 684 wrote to memory of 2024	684	PO091K43Z9.exe	cmd.exe
PID 684 wrote to memory of 2024	684	PO091K43Z9.exe	cmd.exe
PID 684 wrote to memory of 2024	684	PO091K43Z9.exe	cmd.exe
PID 1748 wrote to memory of 1392	1748	cmd.exe	attrib.exe
PID 1748 wrote to memory of 1392	1748	cmd.exe	attrib.exe
PID 1748 wrote to memory of 1392	1748	cmd.exe	attrib.exe
PID 1748 wrote to memory of 1392	1748	cmd.exe	attrib.exe
PID 684 wrote to memory of 1944	684	PO091K43Z9.exe	STUB01.EXE
PID 684 wrote to memory of 1944	684	PO091K43Z9.exe	STUB01.EXE
PID 684 wrote to memory of 1944	684	PO091K43Z9.exe	STUB01.EXE
PID 684 wrote to memory of 1944	684	PO091K43Z9.exe	STUB01.EXE
PID 2024 wrote to memory of 1156	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1156	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1156	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1156	2024	cmd.exe	attrib.exe
PID 1944 wrote to memory of 1660	1944	STUB01.EXE	schtasks.exe
PID 1944 wrote to memory of 1660	1944	STUB01.EXE	schtasks.exe
PID 1944 wrote to memory of 1660	1944	STUB01.EXE	schtasks.exe
PID 1944 wrote to memory of 1660	1944	STUB01.EXE	schtasks.exe
PID 1944 wrote to memory of 1736	1944	STUB01.EXE	schtasks.exe
PID 1944 wrote to memory of 1736	1944	STUB01.EXE	schtasks.exe
PID 1944 wrote to memory of 1736	1944	STUB01.EXE	schtasks.exe
PID 1944 wrote to memory of 1736	1944	STUB01.EXE	schtasks.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe
PID 684 wrote to memory of 1588	684	PO091K43Z9.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1392 attrib.exe
1156 attrib.exe

pid	process
1392	attrib.exe
1156	attrib.exe

C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe
"C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uawdcNde.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uawdcNde" /XML "C:\Users\Admin\AppData\Local\Temp\tmp436.tmp"
2⤵
- Creates scheduled task(s)
PID:1972

C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe
"C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\PO091K43Z9.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1392

C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
"C:\Users\Admin\AppData\Local\Temp\STUB01.EXE"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp10F3.tmp"
4⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp11ED.tmp"
4⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Deletes itself
PID:1588

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uawdcNde.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uawdcNde" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80D.tmp"
4⤵
- Creates scheduled task(s)
PID:1992

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
"C:\Users\Admin\AppData\Local\Temp\STUB01.EXE"
5⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp10F3.tmp
Filesize
1KB

MD5
8e8f38062552037fe3db0187e34e78cb

SHA1
29e3c548ef2b77280bfc22c9ea9d382bb845a833

SHA256
3c91b8a6a2dc27e175c16a7e79ac0d182ca5c093cc3882267b92f8c9e53d931b

SHA512
523242466e3cc08f20de35539091a54455755273d03156e2f0262e1554f0d2326e5c7b8b62355d9bb0078f9a0f6b44db5b537bea214fe99a466837d90c3c6d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11ED.tmp
Filesize
1KB

MD5
97ca1345e92062cecc79ad320a0e89b1

SHA1
9e696a4df86c685befe01d00a16611331ed7e763

SHA256
937a440251a10c5a8921104975e5b7f166a34be5e48aa5c4ad344f8beadd1ad2

SHA512
b7cce6586e4db4e387343c01977b0768fca8c4842098f1caf7e4240fa89273279b1ade5ed25aaf108102dd06c0ee945a24cf4786eb24de34520b4c11c2e82214

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp436.tmp
Filesize
1KB

MD5
045ae8ed57c923587f65c4ff42d74c2c

SHA1
ad9ffb8eccc2231ad9a6ee7f682847f28dd23565

SHA256
c570359470444b9c8217a5653b6b2c438ce07a19f0986099dd883a110e799c42

SHA512
18493047b704239cfe0d97cf10e287090837f9ea4b13911df9d3b1c07c1283dcfeb732ba83203397ec70a76193473bdd54253796d8e22d41434105d9c16e8888

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80D.tmp
Filesize
1KB

MD5
045ae8ed57c923587f65c4ff42d74c2c

SHA1
ad9ffb8eccc2231ad9a6ee7f682847f28dd23565

SHA256
c570359470444b9c8217a5653b6b2c438ce07a19f0986099dd883a110e799c42

SHA512
18493047b704239cfe0d97cf10e287090837f9ea4b13911df9d3b1c07c1283dcfeb732ba83203397ec70a76193473bdd54253796d8e22d41434105d9c16e8888

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLRWTXJQ16PXL54OP4YY.temp
Filesize
7KB

MD5
41f7cb78fae774047d55ab27be08a9ce

SHA1
c06d888f1542f2c425bfdf1e1dfb7988b91e34e0

SHA256
4e2f8f2c7d50026173a7db8863bf762d4f520452d0b65664dc8b753b1db42dd4

SHA512
3f3015b770aa58e12bbb07d0834d1008fd2a805b5a4f16aa3c08b587a7998b68a99ed48f8623dd2915d51bb0ba6c296a6e32e0e7b4909bc2b22a83fd079ea256

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
41f7cb78fae774047d55ab27be08a9ce

SHA1
c06d888f1542f2c425bfdf1e1dfb7988b91e34e0

SHA256
4e2f8f2c7d50026173a7db8863bf762d4f520452d0b65664dc8b753b1db42dd4

SHA512
3f3015b770aa58e12bbb07d0834d1008fd2a805b5a4f16aa3c08b587a7998b68a99ed48f8623dd2915d51bb0ba6c296a6e32e0e7b4909bc2b22a83fd079ea256

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
41f7cb78fae774047d55ab27be08a9ce

SHA1
c06d888f1542f2c425bfdf1e1dfb7988b91e34e0

SHA256
4e2f8f2c7d50026173a7db8863bf762d4f520452d0b65664dc8b753b1db42dd4

SHA512
3f3015b770aa58e12bbb07d0834d1008fd2a805b5a4f16aa3c08b587a7998b68a99ed48f8623dd2915d51bb0ba6c296a6e32e0e7b4909bc2b22a83fd079ea256

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
41f7cb78fae774047d55ab27be08a9ce

SHA1
c06d888f1542f2c425bfdf1e1dfb7988b91e34e0

SHA256
4e2f8f2c7d50026173a7db8863bf762d4f520452d0b65664dc8b753b1db42dd4

SHA512
3f3015b770aa58e12bbb07d0834d1008fd2a805b5a4f16aa3c08b587a7998b68a99ed48f8623dd2915d51bb0ba6c296a6e32e0e7b4909bc2b22a83fd079ea256

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
\Users\Admin\AppData\Local\Temp\STUB01.EXE
Filesize
203KB

MD5
fe99ea6d3ec88c3559aabf7ff17fe01a

SHA1
da8c19d38a772c10a450ed20ee3eade532b7faf6

SHA256
5bff06f98d648f471409ca97dfcdeabe3f06b021c9287707c30012b989f80e35

SHA512
82318cb0e613362b55ca807988665fb759652bff7029175ca7cd7942534da31700ae3dfbcf141c52581ebd463734cf36f117141d3933cce7af537988310ed55f

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
1.9MB

MD5
543dc2f0c0753a513107e1a927ae99d5

SHA1
d748a1e2bfa2d485c9ac75590208dc1c00d4b2e0

SHA256
4e5713ceec170e84cae9279b5c89afd51938b5352e7f393e2bd5490cc9d5a470

SHA512
7a0fe50c6cab6001c5ca9e71f12c45f6212f11d3ee4219999db7bad7796a73dd3e181efa0f313c9823cc09606b08692762bc48a5788321f98c5af54dd46490d9

Download Submit
memory/684-79-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-125-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/684-138-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-74-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-75-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-91-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-84-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-83-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-82-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/684-80-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-76-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-78-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-77-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/684-73-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/692-196-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1388-144-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/1388-140-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/1388-135-0x0000000001310000-0x0000000001508000-memory.dmp

Filesize
2.0MB

Download
memory/1388-137-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/1508-85-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1516-86-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1516-88-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1516-87-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1540-54-0x00000000011C0000-0x00000000013B8000-memory.dmp

Filesize
2.0MB

Download
memory/1540-55-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/1540-56-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download
memory/1540-57-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/1540-72-0x000000000A290000-0x000000000A378000-memory.dmp

Filesize
928KB

Download
memory/1540-59-0x0000000009F60000-0x000000000A0BC000-memory.dmp

Filesize
1.4MB

Download
memory/1540-58-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/1588-123-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1588-109-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1732-171-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-165-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1732-170-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-175-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-176-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1732-169-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-197-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-198-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1732-199-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1944-124-0x00000000000F0000-0x0000000000130000-memory.dmp

Filesize
256KB

Download
memory/1944-143-0x00000000000F0000-0x0000000000130000-memory.dmp

Filesize
256KB

Download