ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
Size

903KB
MD5

9af28b16ea32b7f590b7c8e18babbe84
SHA1

61768d397ada67b94871892a147ccbdfbfc25313
SHA256

ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532
SHA512

f32ebc40dff756f0cb33051df717e7ad982a2771500425156e22570e35bbaa21e8794273a48fb940aa7640fd560d7b0d6c1e65722348dd096240ed16df389291
SSDEEP

24576:8BHlabsM8KGH7Co0OLeGrIocE5lArjPP:8BHl08KGbNLeGMb4un

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	Logo1_.exe
2748	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe

Loads dropped DLL 1 IoCs

pid	Process
2748	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SETECA2.tmp	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
File created	C:\Windows\SysWOW64\SETECA2.tmp	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
File opened for modification	C:\Windows\SysWOW64\msnphoto.scr	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSN\MSNCoreFiles\PI\SETECD5.tmp	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\MicrosoftEdgeUpdate.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
File created	C:\Windows\Logo1_.exe	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe
2064	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 4356	3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe	85
PID 3536 wrote to memory of 4356	3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe	85
PID 3536 wrote to memory of 4356	3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe	85
PID 4356 wrote to memory of 1328	4356	net.exe	88
PID 4356 wrote to memory of 1328	4356	net.exe	88
PID 4356 wrote to memory of 1328	4356	net.exe	88
PID 3536 wrote to memory of 2500	3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe	91
PID 3536 wrote to memory of 2500	3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe	91
PID 3536 wrote to memory of 2500	3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe	91
PID 3536 wrote to memory of 2064	3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe	92
PID 3536 wrote to memory of 2064	3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe	92
PID 3536 wrote to memory of 2064	3536	ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe	92
PID 2064 wrote to memory of 972	2064	Logo1_.exe	93
PID 2064 wrote to memory of 972	2064	Logo1_.exe	93
PID 2064 wrote to memory of 972	2064	Logo1_.exe	93
PID 972 wrote to memory of 3996	972	net.exe	95
PID 972 wrote to memory of 3996	972	net.exe	95
PID 972 wrote to memory of 3996	972	net.exe	95
PID 2500 wrote to memory of 2748	2500	cmd.exe	97
PID 2500 wrote to memory of 2748	2500	cmd.exe	97
PID 2500 wrote to memory of 2748	2500	cmd.exe	97
PID 2064 wrote to memory of 4940	2064	Logo1_.exe	98
PID 2064 wrote to memory of 4940	2064	Logo1_.exe	98
PID 2064 wrote to memory of 4940	2064	Logo1_.exe	98
PID 4940 wrote to memory of 3852	4940	net.exe	100
PID 4940 wrote to memory of 3852	4940	net.exe	100
PID 4940 wrote to memory of 3852	4940	net.exe	100
PID 2064 wrote to memory of 3188	2064	Logo1_.exe	55
PID 2064 wrote to memory of 3188	2064	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
  "C:\Users\Admin\AppData\Local\Temp\ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDDFC.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe
      "C:\Users\Admin\AppData\Local\Temp\ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      PID:2748
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3996
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
264KB

MD5
7e50a682c5001f20173364253ea5a4aa

SHA1
aba316ea7b4d63801b5f1e8d56c2ee2c516256e3

SHA256
164a1424c26468493e8ecc3b778783114c3868153496322e9b0467a91d8dbfe0

SHA512
4cb93a2da4a784ba8400a95da5bff47aa1c8312403266ac0d4ac365fc1e4641b424f29cdfd71a72c0bd22bf02c4ac93caa9ef4a808715615d2b5dbd178d8afe1

Download Submit
C:\Program Files (x86)\MSN\MSNCoreFiles\pisynctw.exe

Filesize
92KB

MD5
5742721327f87c4cefd08d210afad914

SHA1
02617803d6361a78af63a0243ee13dd05707e321

SHA256
1266d01d2c2d3b2c0f2c176aae36aa1febe99ffc236f4ae0bc8213e68d3de466

SHA512
5b4dd83188acd4201c2da01e5f36caaaa701239b296a038ac9f48e383c5a0fa158137b4dd6b8dfab4f61f34d6b2401336dbb61f78a866fc5601272b32c6bd542

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
497KB

MD5
1f237b897957876aa99829ba797f2e38

SHA1
eb2d65f0ee0ba443cf377b03fe42566aa00ef1ab

SHA256
7ac6c5a063cbbc6655620f31ce5b47b1047cc1fa1cb99812ad42612bf4ba7d64

SHA512
88755b364a3c48d6c7a00836368b9e1698d0a8d12843e0756ecdd6d2a65e23b61a045d6d9ca51bf7db34394b3183de1121ee773589e842b7226379451e5f22fc

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
484KB

MD5
93edf4e3dbf85f17e914c4b90f72839f

SHA1
d838163c6152a193938f88ec7ad1bd0c0e960556

SHA256
579c79202d9728ac3708453b8fae42ffce3acece6fab425c64f04d963a99f137

SHA512
87614eeafafcafc7524421d3108fafd58d0f053735bb84b1cfb4c3c2a107cca66979782b9c40e5b3e7d01e948f5e8ccbc39a9316d64948f499fef681359f8324

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDDFC.bat

Filesize
722B

MD5
0ee2f1117301cc260ea49a333b8ddceb

SHA1
9c0eeae27eb1dcf6013d7a12ad319e9616c63a53

SHA256
99b66d9159f2da6b1d73c08c0c0a3a6c0e47b774c19290b33ec822c5674e39e4

SHA512
431cd45a33394f019672927a4b530a7a5e14098e8b782d31aeb3e9cc91d2641bd0e784507bc4c25236b56d4f02101b4121f9d0c17fcbdb8d5c113b58d92af2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
90KB

MD5
0ac28de5e930e8a52ad6b163c5473412

SHA1
25371c9d876959cb58b50c25ad709cf98dde45bb

SHA256
06eed244d89f6e15205d5beb8085ac33c0de486dfe30eec9fb73b91de07e5f62

SHA512
c2c82449927cac953668142a3f597c06626b0b3a26e8036de34e4ca1042a572fa3befa799d43fb24a1d23c821b5ed7994e3d211b6aaced15ba31d4639e96d877

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\active~1.htm

Filesize
1KB

MD5
eb567b646af843f620897b6d6052213c

SHA1
12c2624caaa138a394f3c4699936384abee86765

SHA256
ce0ebcd75f77ef71b4b3cdd5b5b30c4bc218053980e48f72fa03e793087ba695

SHA512
430ab18720bfbfeac9d58aa72ddb738395ed0a942f1d48617c607d19762640276d0f7e632e5cc947630883b136f30d58bcde4255412a0c7a818b15abc85db920

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\config.xml

Filesize
513B

MD5
3713b5a27a4f3ba2f92909cb06860b59

SHA1
c4fa51fd0e0695399bbe0cf8a7572f5603657982

SHA256
d5d35ccf45b39d60f0b24a11bbb74c9106491daf1f78282d77996deccbc85e1a

SHA512
4237a3dbd7c2c5edb3f216f3c54fc18b41a588a2f6a8f3a7bf2ad985981ce16ef5abce83702e272a24a9fe8f0eab7e6c5ab20c2f5e59a11f28c0cb41cc17496d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.xml

Filesize
200B

MD5
06b00ba6c22ffb816174aef7ce85b15a

SHA1
b550295cc386901b91977d9d578d07c2fa2f7455

SHA256
cde78665284b4805b4df790ea7b52397cb9c5edb49e6082f2e24c3b1f0293d5d

SHA512
66d0ebb2cf471f120c30dc6474c3699c38482790528355eb520edec3e4ad348906db99cc05558b15814af74abe2126c5e0f001bd350ab3f4a571e2565f6211a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fngrprnt.dll

Filesize
8KB

MD5
470123d0d53d2a260719025893400928

SHA1
748b42dff8d8d789ee314758d17abaeace364244

SHA256
c28feffe76ba4ae036779bf2c04d5e0a8a6a9e5db6cf60d7de861be982f96145

SHA512
80502190a71566f9093284538a1c4d1a9ac24f4bd09746e9041b1b448c44c97d672705edc188516d21374bbd7bea55ab5a19ac134959aa3a0065e9d58b06676f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mega.gif

Filesize
13KB

MD5
1f0214c1b824e220659ab47daad70a01

SHA1
d8bee9601beecb95d10b695f9c74870c7efe15ec

SHA256
996b90cc452995b5f72108dd1925c9883552c6d6de00d79f43f2fc3268a3b017

SHA512
f36fb95e83cac126a9527c6394fe03cb65efeb8a9232ddfad64d3af13b753f45d8571849c42f0e446f8fa22aad3218b9fe51dad7b3602356f2befa1752d30e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\messen~1.xml

Filesize
257B

MD5
e5ee60c6913bc24f8003a2a266bd1b8c

SHA1
add44935a19613b43bd729d7c694d8381794a0e3

SHA256
583bf347c2665ba1a80a6189d59606eeac2e09fe54b6428357059011839aeeca

SHA512
eeee04d280c68bccb30d50795b5ef5c036ce6d323de84750621c12d151109eb95d6a385076f3de8c58a232449d192e499cc29c57e302acf2224dff1d9e7ab93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msnphoto.scr

Filesize
92KB

MD5
ed04ed8dadb0743d75056e2ea55184ee

SHA1
9e1ad3c857f22453197fd9daec6c03592cdb9d8e

SHA256
acf4cfa275cc7edec34ae2e85ee47d6df85ffbdd9f7da1aecc30064235fd6d00

SHA512
45441346d64630dab07d46cc0b836071647f34462f78cbaa7defe40af631d1f3abf0d9bbb7d6799f27de3beae06b9a2d08464035900a78f2a70c5552023bdee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pi.inf

Filesize
5KB

MD5
50cd60b8d92cc119d29fd3402379c54f

SHA1
fcef127b6710192322d81fec135266ae1510cf48

SHA256
5083d6c30a3f6310585044f8508de439d984935887edabd315c5976b03015e99

SHA512
c14113ebad396bd8771970cbd635367919dbc358b8be0cbfb1df66e4c620fae3ce7f866e0c4c719b441ee0e446868e19347281e8cbf7f02b6e118a901b9e815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pibase.dll

Filesize
44KB

MD5
98bd7d3d8acc06b4c0c7390889ef0656

SHA1
d02b2657185307698b67cfb22eb8c1bb28856964

SHA256
8e8cb8ac1f26a3dd31ef22aeb50f89336944be16be61b0fd01b6b04438dc8ede

SHA512
d2c618007783b3c4c30b692ae4e17c32c6098f2b83d7912f97e8c92f21be9ffd8802f74b3caf4fdc9aac606f0c42f860ef9c2dee766d8ccbb91a551944c1c2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pidav.dll

Filesize
80KB

MD5
96e0dcb4a51891c41cca6219fa5cbe0a

SHA1
7dad4c1d71ae6435e9a4a4ad574e68fd150b07f0

SHA256
e218e7b8508a4b2b7e0900afd9e11813863982e235343410aa6d0e8f570acdbc

SHA512
37185949f2f6ec437fee1ab73ddbb86a5073c753cdfd7b0ddd1b98eab33573f800588cbc18ae9519a1ba8dd479a44694b31010aa47ea91d9277b4023d73ced67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piorg.dll

Filesize
422KB

MD5
d433efe19fd0d9b896945f34ba839698

SHA1
ade6c8c2732fd18308b512986a485dff40a70774

SHA256
81b9f877f9198a761f820a0ea2b02eb3db85750011e50997560391dc2f160c64

SHA512
97d2d2ceba05339a830ee5ad2a1dd9667dbf7dc17b5bf4509eb72c8c6a45214756539bab2a4e7d6a663ba67a9de73878e82e7582240e3a5f76bdb1ab8bc0324f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piorgres.dll

Filesize
239KB

MD5
b294757974b9d75185ed39b1b6a2fd89

SHA1
8abb26a5bfaeb1765aa114d8f2cc3b4b01ed4e57

SHA256
80b63a6d100879f040ccc4e409bca0698a176cbd2cfa843087b0d3668c18451e

SHA512
6b2654222bc7b25784b17ef9b3d7667add7525e5d5b0fabfed7eaf2317466db2eaaea11a32580b9aac2d268e3a1c5b2e6b6afc1a8b8a760c44902a94a0b29dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pisync.dll

Filesize
192KB

MD5
7a53619ab1d41dba3a1093dce1358428

SHA1
4ab318c3b9e337ecf065ceda96b10041c0febc1c

SHA256
b024947095d3af84f47a45a35bf2647bb8a0f871c2742266b369f0ac5f735ec1

SHA512
d34c632fcf9819fd14dbef16ee70fa2adc6cf99ed540c4e3939107c6db5b94d1cf396f4f50473fb901ee1062ac98b86e82a8e50326ee6ea3c3a8597d0c0001f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pisynctw.exe

Filesize
52KB

MD5
5c6080d433f02d8f173ec738af8b451f

SHA1
137bb1172b6faeeaafb7b09026182a4fc0e030ad

SHA256
bb4a4cd4f0808bfe62b4c3024d099a78dc322ee579756a35fcbe3f8160dbbc0f

SHA512
8b091d09b19df1f9ebcc97a39b4c9e2dab840ecd7448aea53c33d3809185b07be8b58c7c56e058596d591348529cb8b29508f6769b30568d149a64ec0ec22c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\piview.dll

Filesize
304KB

MD5
4e47d1d28edd06317f7f831e2f8075f2

SHA1
831ac6c58973e0aa5db943194e89424603be0e78

SHA256
b1b03e634c085aab68e3f2c78fdcdcc745e8341c0dff6c494e88911b81a61dbc

SHA512
9baa53338e159ae1ada33b0cf2ad07e039a18604e957d022d66fa4b5bf192eb2b4be9dd0120f4a6edc012f211ff831cc2d59c2fb3a40c8580874ff6ce0c57e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\prgemp.gif

Filesize
84B

MD5
9986d91856ced30b8e9449274754821e

SHA1
6f54311a5de6b2da60172e885e606330481ff5f4

SHA256
f35aee0df2db9e5a9574d250f89be23a69c088b346a7612c34494284d6077df1

SHA512
80d942d30d73a74f8b94e8229229e6154b0abab4c69c561f26c19795ab4d56b31cdbec626a4640ed78c9bedd6db7409029822229a16a13a4755ebfb7430724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\prggrn.gif

Filesize
83B

MD5
eaa956be72f66d9d2169adc197073390

SHA1
b3fb217bab4419afb26f2899ced7aa33cab41e67

SHA256
11f68508bcd118f13a1a31bf783706850be5e80364d21a73a896449324b8eed4

SHA512
2f26c4584fca65dc8c87e311af6ed539de0b5f322fcb79fb5c03a7c529fd5c110dbdafc05d7ce686d39ff283514e7446b3d44f7df42af4fa6c03915839853fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\slides~1.js

Filesize
162KB

MD5
cf9dda1c54df6502cf15b68220fbaab6

SHA1
3b49ca279ae8d2b02c0ec898562212001c34d715

SHA256
5deb9766faf4d8be4d4d9e56360e5bdc985da19ad8e2d94e1a80a59eaecad916

SHA512
e7a6c45b8a11723b2f03d3ffd8cfc964382039c6d657fa4b7d7fbd05c42255c7aa2b83d4ac2312cbdf0b2457833e4a70864e23c788df501d45e6dccd5b8a65e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\slides~1.xml

Filesize
8KB

MD5
7b53d1103c0a17a32b60e7925f8c529e

SHA1
5b104e29fd8b9570459a2cd35b0ab35c9255bd13

SHA256
799c3b251c5856dae775c9f9fbb47c9ec33a601fcfe2e1bbd63b7f976e53c3b0

SHA512
3636c2844bca0eec6369683d3af49a1eaad9dfb2115941e2942980079f1af0e1acb4aa6fd00259a4cb6647805e91c3d18a731ca522d0be2157ce5d7a13d04e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\splash.gif

Filesize
2KB

MD5
28e38509e9aced026d1a5dbc8f1dc767

SHA1
73b5cbee7ebfc693484a20cdc472efb0e3aaebb8

SHA256
696ca709ae25835fffa1dddabb725e93f1c5de461c659ecf0a7878b704358c12

SHA512
95ed6f422e21e9301c206758b02a60a81fd7b09f13b1c2293e5405878e25e04ddde46902d82dd69bd496a6396884e738a4d0eea25bb57bdf55bd949c4f85d20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\startup.js

Filesize
19KB

MD5
82dac91011c75b5e433e29ab43780c8c

SHA1
23438c2e48ea5324cf3a9727320474540e5cdd45

SHA256
1cc5e3ce8704492f87932983847c8c5a2be2aac1a4744b9fc5d0749efcd27321

SHA512
bb0d1e0d50dc0eaca926ad1246ee0c54e587468ffc65adfcf8e9df2881661394ae8c8eb32d9b60c8e70c45350d111489f6aa1ce61fb420c087545c1dfd4dc85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unicows.dll

Filesize
239KB

MD5
e1102cedf0c818984c2aca2a666d4c5f

SHA1
d8d88ea7083aee9c40f6fdc6c56451a018d21a83

SHA256
22f23cc65698741184ec34f46e6f69717644e0b5aabf5d5bd015101f2d72e56e

SHA512
e58b35815801d6d3797f95c986834d2ca5450ccc3f1fa1d27d127a8d1d36f8e21279173715a00686c9c831d22d7c5b5b9cc5874170223a4d78f09c4eefa390a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viewer.htm

Filesize
1KB

MD5
79c164f8143e4a53e87a758e82afe3e0

SHA1
9bb5f1f62b2ba8edaef186cba37366d637241c9a

SHA256
e22c640fb743ed4f898aee780cd7f51380486ccbd798593e999e5b5dc6442551

SHA512
d8f49cf262cda54efd815029f78ac0e79db45c67295ed1f30add36a36f6ca3913f983881ac478063e2d94f1ca3e672d6521aae093b439ab873de221cce68f7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe

Filesize
863KB

MD5
8afc7670b061d457897be947f591bc24

SHA1
c0c977f0d2e7f99d4654a256edad0d7c0eeb2f59

SHA256
a470a96915630203d83d4a40e571ae59965e8fcc01bf5b51918c6222f6686377

SHA512
bd800a5c864f93e0ccc52b988a5faf740feff74531280ea5a5c4d08d295158162ae2cd417c64d09298bd24befd3192a765b35fdd8b109799c442ba1ed1288d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed5982dd32316b2d16f0490c633ee43f3c0d6b62207dc8351d63b07d9a27d532.exe.exe

Filesize
863KB

MD5
8afc7670b061d457897be947f591bc24

SHA1
c0c977f0d2e7f99d4654a256edad0d7c0eeb2f59

SHA256
a470a96915630203d83d4a40e571ae59965e8fcc01bf5b51918c6222f6686377

SHA512
bd800a5c864f93e0ccc52b988a5faf740feff74531280ea5a5c4d08d295158162ae2cd417c64d09298bd24befd3192a765b35fdd8b109799c442ba1ed1288d9c

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
d03106eab89f06d8dd32f7c0e7af425d

SHA1
cecc83a5ba47386cbfb7b85eefc0dff700ff4788

SHA256
04263f183b347f3856c4dbd5f30da68a9d31776936f7a5ccd86cfbcaefecfc44

SHA512
30dbe45f50499a252ffb1584875fa8c7fb3eee8cc825bc4c5c248dc9240718dc5e9af777e475d1b4a9631482b24d89dc43d80665d78bd25bbc51cce4d5529abc

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
d03106eab89f06d8dd32f7c0e7af425d

SHA1
cecc83a5ba47386cbfb7b85eefc0dff700ff4788

SHA256
04263f183b347f3856c4dbd5f30da68a9d31776936f7a5ccd86cfbcaefecfc44

SHA512
30dbe45f50499a252ffb1584875fa8c7fb3eee8cc825bc4c5c248dc9240718dc5e9af777e475d1b4a9631482b24d89dc43d80665d78bd25bbc51cce4d5529abc

Download Submit
C:\Windows\rundl132.exe

Filesize
39KB

MD5
d03106eab89f06d8dd32f7c0e7af425d

SHA1
cecc83a5ba47386cbfb7b85eefc0dff700ff4788

SHA256
04263f183b347f3856c4dbd5f30da68a9d31776936f7a5ccd86cfbcaefecfc44

SHA512
30dbe45f50499a252ffb1584875fa8c7fb3eee8cc825bc4c5c248dc9240718dc5e9af777e475d1b4a9631482b24d89dc43d80665d78bd25bbc51cce4d5529abc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1574508946-349927670-1185736483-1000\_desktop.ini

Filesize
9B

MD5
aec6bbf704de8af243f3e9add8732550

SHA1
1fad16c82d710536532e146137be098c172182ee

SHA256
d20a8fade634d93ece501e8946d07bc8d0ecdefea8b585ce5286a42e43111334

SHA512
cdbe9134f8057a95af0d39894c7f8e513faa85749dde984f6369164056f7986429a3a724da3812533c3f2f6108c440c37dff20c0d7a1c664a6a5c7424c9051e5

Download Submit
memory/2064-378-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2064-470-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2064-1833-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2064-2983-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2064-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2064-6031-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2064-8808-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3536-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3536-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download