amadey | 6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b

Analysis

max time kernel
141s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2023 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe
Size

1.2MB
MD5

1dc35fca0330851928ad62a61ddb5b09
SHA1

d876a856525f54ef2b0e7518229796064c08f046
SHA256

6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b
SHA512

97ad9095490e3d5b708ffd6980119ef4573e7c141ba1fb4e064cb1282f5ab1d10ce80f71a38fd76d338271ba6862e9a039ad98b6d2d82fed779250204215c259
SSDEEP

24576:dyR56GRNx32WzkTyiot0SigRjMXwErLcx:4R5Rn9ohot0Pdw

Score

10^/10

amadey redline dirx soft discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr209415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr209415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr209415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr209415.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr209415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr209415.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	qu566792.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	si191904.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
412	un073196.exe
552	un235264.exe
3372	pr209415.exe
2460	qu566792.exe
2496	1.exe
3316	rk448335.exe
1456	si191904.exe
1716	oneetx.exe
4324	oneetx.exe
4996	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2828	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr209415.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr209415.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un235264.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un073196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un073196.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un235264.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
3316	3372	WerFault.exe	82
4324	2460	WerFault.exe	88
2988	1456	WerFault.exe	94
4864	1456	WerFault.exe	94
4716	1456	WerFault.exe	94
1680	1456	WerFault.exe	94
2848	1456	WerFault.exe	94
2236	1456	WerFault.exe	94
1740	1456	WerFault.exe	94
2660	1456	WerFault.exe	94
3428	1456	WerFault.exe	94
3824	1456	WerFault.exe	94
4680	1716	WerFault.exe	113
2240	1716	WerFault.exe	113
2160	1716	WerFault.exe	113
4388	1716	WerFault.exe	113
3804	1716	WerFault.exe	113
1500	1716	WerFault.exe	113
4092	1716	WerFault.exe	113
3996	1716	WerFault.exe	113
1668	1716	WerFault.exe	113
4104	1716	WerFault.exe	113
3812	1716	WerFault.exe	113
4344	1716	WerFault.exe	113
3956	4324	WerFault.exe	142
5060	1716	WerFault.exe	113
4688	1716	WerFault.exe	113
1664	1716	WerFault.exe	113
1580	4996	WerFault.exe	152

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3372	pr209415.exe
3372	pr209415.exe
2496	1.exe
3316	rk448335.exe
3316	rk448335.exe
2496	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	pr209415.exe
Token: SeDebugPrivilege	2460	qu566792.exe
Token: SeDebugPrivilege	3316	rk448335.exe
Token: SeDebugPrivilege	2496	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1456	si191904.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 412	1120	6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe	80
PID 1120 wrote to memory of 412	1120	6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe	80
PID 1120 wrote to memory of 412	1120	6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe	80
PID 412 wrote to memory of 552	412	un073196.exe	81
PID 412 wrote to memory of 552	412	un073196.exe	81
PID 412 wrote to memory of 552	412	un073196.exe	81
PID 552 wrote to memory of 3372	552	un235264.exe	82
PID 552 wrote to memory of 3372	552	un235264.exe	82
PID 552 wrote to memory of 3372	552	un235264.exe	82
PID 552 wrote to memory of 2460	552	un235264.exe	88
PID 552 wrote to memory of 2460	552	un235264.exe	88
PID 552 wrote to memory of 2460	552	un235264.exe	88
PID 2460 wrote to memory of 2496	2460	qu566792.exe	90
PID 2460 wrote to memory of 2496	2460	qu566792.exe	90
PID 2460 wrote to memory of 2496	2460	qu566792.exe	90
PID 412 wrote to memory of 3316	412	un073196.exe	93
PID 412 wrote to memory of 3316	412	un073196.exe	93
PID 412 wrote to memory of 3316	412	un073196.exe	93
PID 1120 wrote to memory of 1456	1120	6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe	94
PID 1120 wrote to memory of 1456	1120	6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe	94
PID 1120 wrote to memory of 1456	1120	6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe	94
PID 1456 wrote to memory of 1716	1456	si191904.exe	113
PID 1456 wrote to memory of 1716	1456	si191904.exe	113
PID 1456 wrote to memory of 1716	1456	si191904.exe	113
PID 1716 wrote to memory of 3596	1716	oneetx.exe	130
PID 1716 wrote to memory of 3596	1716	oneetx.exe	130
PID 1716 wrote to memory of 3596	1716	oneetx.exe	130
PID 1716 wrote to memory of 2828	1716	oneetx.exe	147
PID 1716 wrote to memory of 2828	1716	oneetx.exe	147
PID 1716 wrote to memory of 2828	1716	oneetx.exe	147

C:\Users\Admin\AppData\Local\Temp\6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe
"C:\Users\Admin\AppData\Local\Temp\6bb1fce7307600373696b9d05b1de27fc39e068fa921af8039ed13467be9860b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073196.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073196.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un235264.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un235264.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr209415.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr209415.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1088
        5⤵
        Program crash
        
        PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu566792.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu566792.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1404
        5⤵
        Program crash
        
        PID:4324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk448335.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk448335.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si191904.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si191904.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 700
    3⤵
    - Program crash
    PID:2988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 732
    3⤵
    - Program crash
    PID:4864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 860
    3⤵
    - Program crash
    PID:4716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 952
    3⤵
    - Program crash
    PID:1680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 992
    3⤵
    - Program crash
    PID:2848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1012
    3⤵
    - Program crash
    PID:2236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1224
    3⤵
    - Program crash
    PID:1740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1216
    3⤵
    - Program crash
    PID:2660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1316
    3⤵
    - Program crash
    PID:3428
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 696
      4⤵
      Program crash
      PID:4680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 912
      4⤵
      Program crash
      PID:2240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 932
      4⤵
      Program crash
      PID:2160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1092
      4⤵
      Program crash
      PID:4388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 928
      4⤵
      Program crash
      PID:3804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1116
      4⤵
      Program crash
      PID:1500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1152
      4⤵
      Program crash
      PID:4092
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1028
      4⤵
      Program crash
      PID:3996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 688
      4⤵
      Program crash
      PID:1668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 756
      4⤵
      Program crash
      PID:4104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 784
      4⤵
      Program crash
      PID:3812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1176
      4⤵
      Program crash
      PID:4344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1612
      4⤵
      Program crash
      PID:5060
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1372
      4⤵
      Program crash
      PID:4688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1628
      4⤵
      Program crash
      PID:1664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1360
    3⤵
    - Program crash
    PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3372 -ip 3372
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2460 -ip 2460
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1456 -ip 1456
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1456 -ip 1456
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1456 -ip 1456
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1456 -ip 1456
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1456 -ip 1456
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1456 -ip 1456
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1456 -ip 1456
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1456 -ip 1456
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1456 -ip 1456
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1456 -ip 1456
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1716 -ip 1716
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1716 -ip 1716
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1716 -ip 1716
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1716 -ip 1716
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1716 -ip 1716
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1716 -ip 1716
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1716 -ip 1716
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1716 -ip 1716
1⤵
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1716 -ip 1716
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1716 -ip 1716
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1716 -ip 1716
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1716 -ip 1716
1⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 320
  2⤵
  - Program crash
  PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4324 -ip 4324
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1716 -ip 1716
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1716 -ip 1716
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1716 -ip 1716
1⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 324
  2⤵
  - Program crash
  PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4996 -ip 4996
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si191904.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si191904.exe

Filesize
395KB

MD5
4a04fe844d0697cd44aa9fc501cc4a2b

SHA1
9d3d7292f776cff124ccd59218e70c5036fde30c

SHA256
cebcff48af7f45916dcbb2c0b30b67bdd0957c83e9bb04e7502e8fab54311f4c

SHA512
025d50124126018a9e2aeaaf7a3cffb53b6b6c51ba4083e0afbd6110d95d11c8b0941ea8e0f63a7e519bc2ca1b2c02a3e5f7df99d230a01437c4a01a1448d146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073196.exe

Filesize
862KB

MD5
e9f3db490cb51b09fc75d42e2adf21b0

SHA1
dfef089ece4728bbd969ae6c2e0d9d936cf4ff2a

SHA256
85f5740ca2c510330c6e814e65eb87b5667e907198ad17a32036898fc035c210

SHA512
7f61ebfe780a0cc0968eb3fb6ee1dc17c4f494f0ecb03f25d68cdedb6b78fdcec23c6bac755cf168f1d84adf827983b3eff3fbee830cf630f50f3a6548b64614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un073196.exe

Filesize
862KB

MD5
e9f3db490cb51b09fc75d42e2adf21b0

SHA1
dfef089ece4728bbd969ae6c2e0d9d936cf4ff2a

SHA256
85f5740ca2c510330c6e814e65eb87b5667e907198ad17a32036898fc035c210

SHA512
7f61ebfe780a0cc0968eb3fb6ee1dc17c4f494f0ecb03f25d68cdedb6b78fdcec23c6bac755cf168f1d84adf827983b3eff3fbee830cf630f50f3a6548b64614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk448335.exe

Filesize
168KB

MD5
279e7fb26a4227aaf1aef2458a20b051

SHA1
8a5b58d27ea6a318ea393eb4b29ae3fec503a667

SHA256
9dad5a1238231b34d3c828307c99cac3facc04d71c244d23299ae37dffac680a

SHA512
7f193d1df2fa5959392b626ec5ce3cea3016879fbf36c7134d51f0ee7045455deb84419318739223f0a2a3e5ef9fc5f178105819e4e862b778479b484c9cb4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk448335.exe

Filesize
168KB

MD5
279e7fb26a4227aaf1aef2458a20b051

SHA1
8a5b58d27ea6a318ea393eb4b29ae3fec503a667

SHA256
9dad5a1238231b34d3c828307c99cac3facc04d71c244d23299ae37dffac680a

SHA512
7f193d1df2fa5959392b626ec5ce3cea3016879fbf36c7134d51f0ee7045455deb84419318739223f0a2a3e5ef9fc5f178105819e4e862b778479b484c9cb4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un235264.exe

Filesize
709KB

MD5
763d95d449560416499d8f64783884cc

SHA1
d0fde1cf105700b1bf5526ca3376c153c1cb1d4f

SHA256
e36db4ec97e6ec67ab660b7540da3bb19e7aad3402b49e07f78805f8da342260

SHA512
ec941bab1bce3a9b9dda093ebb4ddae839508718045710118e6a3a194413b5d6a75d1d234103a49aebaa722f4ce4aeee2b215cc519e0c3b6d52b83d65623dbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un235264.exe

Filesize
709KB

MD5
763d95d449560416499d8f64783884cc

SHA1
d0fde1cf105700b1bf5526ca3376c153c1cb1d4f

SHA256
e36db4ec97e6ec67ab660b7540da3bb19e7aad3402b49e07f78805f8da342260

SHA512
ec941bab1bce3a9b9dda093ebb4ddae839508718045710118e6a3a194413b5d6a75d1d234103a49aebaa722f4ce4aeee2b215cc519e0c3b6d52b83d65623dbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr209415.exe

Filesize
403KB

MD5
7274c4622021d4c4adc1010c69098bb2

SHA1
d9ded3427da81848f15505d226dd20212148f15f

SHA256
6741857b4f06ce1198d9d3bf43c09e9e86702a78dca53a0075e35f7302ddfdcf

SHA512
1de5361dcedcd1aad05675fbd53884d709562bfc6e688f77bba4fa796ef1fec7ff78de3a9a1f8e686ddaad828519a00a3b3caaf5c61748c26daf9d408cb6341c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr209415.exe

Filesize
403KB

MD5
7274c4622021d4c4adc1010c69098bb2

SHA1
d9ded3427da81848f15505d226dd20212148f15f

SHA256
6741857b4f06ce1198d9d3bf43c09e9e86702a78dca53a0075e35f7302ddfdcf

SHA512
1de5361dcedcd1aad05675fbd53884d709562bfc6e688f77bba4fa796ef1fec7ff78de3a9a1f8e686ddaad828519a00a3b3caaf5c61748c26daf9d408cb6341c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu566792.exe

Filesize
588KB

MD5
ab1723b194059fdcc1b02abb5a88be18

SHA1
134c4c3f7205454d26b0766b7d5c2c22b62effdc

SHA256
1e0c05eed43252dcd526e0adf4bffc025fb759a863e7784bfcdaf2d437e34802

SHA512
5cbd307b68e7c343b28ebb7e978d495090bba6f9860b72c08863bdc302ee004f7da44d66cf41cbc661e399dede47ae83ec8de86c3c9589ffd0304f6f5bac12ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu566792.exe

Filesize
588KB

MD5
ab1723b194059fdcc1b02abb5a88be18

SHA1
134c4c3f7205454d26b0766b7d5c2c22b62effdc

SHA256
1e0c05eed43252dcd526e0adf4bffc025fb759a863e7784bfcdaf2d437e34802

SHA512
5cbd307b68e7c343b28ebb7e978d495090bba6f9860b72c08863bdc302ee004f7da44d66cf41cbc661e399dede47ae83ec8de86c3c9589ffd0304f6f5bac12ba

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/1456-2369-0x0000000002480000-0x00000000024BB000-memory.dmp

Filesize
236KB

Download
memory/2460-215-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-231-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-329-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/2460-331-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/2460-328-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/2460-2343-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/2460-326-0x00000000009A0000-0x00000000009FB000-memory.dmp

Filesize
364KB

Download
memory/2460-229-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-198-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-199-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-201-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-203-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-205-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-207-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-209-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-211-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-213-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-225-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-217-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-219-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-221-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-223-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2460-227-0x0000000002A50000-0x0000000002AB0000-memory.dmp

Filesize
384KB

Download
memory/2496-2342-0x00000000000F0000-0x000000000011E000-memory.dmp

Filesize
184KB

Download
memory/2496-2357-0x00000000050B0000-0x0000000005116000-memory.dmp

Filesize
408KB

Download
memory/2496-2351-0x0000000004BE0000-0x0000000004C1C000-memory.dmp

Filesize
240KB

Download
memory/2496-2354-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/2496-2344-0x0000000005170000-0x0000000005788000-memory.dmp

Filesize
6.1MB

Download
memory/2496-2345-0x0000000004C60000-0x0000000004D6A000-memory.dmp

Filesize
1.0MB

Download
memory/2496-2347-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2496-2359-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/2496-2361-0x0000000008300000-0x000000000882C000-memory.dmp

Filesize
5.2MB

Download
memory/2496-2362-0x0000000005FE0000-0x0000000006030000-memory.dmp

Filesize
320KB

Download
memory/3316-2352-0x00000000000B0000-0x00000000000E0000-memory.dmp

Filesize
192KB

Download
memory/3316-2353-0x00000000020B0000-0x00000000020C0000-memory.dmp

Filesize
64KB

Download
memory/3316-2360-0x0000000005EB0000-0x0000000006072000-memory.dmp

Filesize
1.8MB

Download
memory/3316-2358-0x00000000020B0000-0x00000000020C0000-memory.dmp

Filesize
64KB

Download
memory/3316-2356-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/3316-2355-0x0000000004D70000-0x0000000004DE6000-memory.dmp

Filesize
472KB

Download
memory/3372-177-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-171-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-183-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-187-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-181-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-188-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/3372-189-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3372-179-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-190-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3372-193-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/3372-191-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3372-175-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-173-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-185-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-169-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-167-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-165-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-163-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-161-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-160-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3372-159-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3372-157-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3372-158-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3372-156-0x0000000000AB0000-0x0000000000ADD000-memory.dmp

Filesize
180KB

Download
memory/3372-155-0x0000000004DC0000-0x0000000005364000-memory.dmp

Filesize
5.6MB

Download