amadey | 56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674

Analysis

max time kernel
160s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674_JC.exe
Size

851KB
MD5

332be1fd1afc1ede533225df48f347a6
SHA1

ab007191fcbe1bcf3ac12ae4e02b52be4021b386
SHA256

56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674
SHA512

15d2762fdfe564103f6d5f20ec7e83b3861374b9d300abbe25b776876637ca819ffa7f4a7a24d113e7069e9ab6b8ecb3791d3ec2df6bab5495c24e0ff8eaf684
SSDEEP

24576:Lyokio090afwEzoDl/ueBan7URNlto0O6HId9ASfyu:+cIafRzoFBan7URNbo0xoPL

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1aN73RF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1aN73RF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1aN73RF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1aN73RF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1aN73RF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1aN73RF8.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	4Ia413Ie.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	5nT1Fl7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 14 IoCs

pid	Process
2192	cK5xf37.exe
1316	pc7OS86.exe
1780	yt3Dp39.exe
4936	to4uY17.exe
2436	1aN73RF8.exe
3124	4Ia413Ie.exe
1292	explothe.exe
1604	5nT1Fl7.exe
412	legota.exe
4172	6Es4UL91.exe
5432	explothe.exe
5452	legota.exe
5716	explothe.exe
5568	legota.exe

Loads dropped DLL 2 IoCs

pid	Process
5736	rundll32.exe
5744	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1aN73RF8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1aN73RF8.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cK5xf37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pc7OS86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	yt3Dp39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	to4uY17.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3240	schtasks.exe
4380	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2436	1aN73RF8.exe
2436	1aN73RF8.exe
4904	msedge.exe
4904	msedge.exe
3380	msedge.exe
3380	msedge.exe
3812	msedge.exe
3812	msedge.exe
5044	identity_helper.exe
5044	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	1aN73RF8.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 2192	3848	NEAS.56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674_JC.exe	86
PID 3848 wrote to memory of 2192	3848	NEAS.56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674_JC.exe	86
PID 3848 wrote to memory of 2192	3848	NEAS.56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674_JC.exe	86
PID 2192 wrote to memory of 1316	2192	cK5xf37.exe	87
PID 2192 wrote to memory of 1316	2192	cK5xf37.exe	87
PID 2192 wrote to memory of 1316	2192	cK5xf37.exe	87
PID 1316 wrote to memory of 1780	1316	pc7OS86.exe	88
PID 1316 wrote to memory of 1780	1316	pc7OS86.exe	88
PID 1316 wrote to memory of 1780	1316	pc7OS86.exe	88
PID 1780 wrote to memory of 4936	1780	yt3Dp39.exe	89
PID 1780 wrote to memory of 4936	1780	yt3Dp39.exe	89
PID 1780 wrote to memory of 4936	1780	yt3Dp39.exe	89
PID 4936 wrote to memory of 2436	4936	to4uY17.exe	90
PID 4936 wrote to memory of 2436	4936	to4uY17.exe	90
PID 4936 wrote to memory of 2436	4936	to4uY17.exe	90
PID 1316 wrote to memory of 3124	1316	pc7OS86.exe	98
PID 1316 wrote to memory of 3124	1316	pc7OS86.exe	98
PID 1316 wrote to memory of 3124	1316	pc7OS86.exe	98
PID 3124 wrote to memory of 1292	3124	4Ia413Ie.exe	99
PID 3124 wrote to memory of 1292	3124	4Ia413Ie.exe	99
PID 3124 wrote to memory of 1292	3124	4Ia413Ie.exe	99
PID 2192 wrote to memory of 1604	2192	cK5xf37.exe	100
PID 2192 wrote to memory of 1604	2192	cK5xf37.exe	100
PID 2192 wrote to memory of 1604	2192	cK5xf37.exe	100
PID 1292 wrote to memory of 3240	1292	explothe.exe	101
PID 1292 wrote to memory of 3240	1292	explothe.exe	101
PID 1292 wrote to memory of 3240	1292	explothe.exe	101
PID 1292 wrote to memory of 3336	1292	explothe.exe	103
PID 1292 wrote to memory of 3336	1292	explothe.exe	103
PID 1292 wrote to memory of 3336	1292	explothe.exe	103
PID 1604 wrote to memory of 412	1604	5nT1Fl7.exe	105
PID 1604 wrote to memory of 412	1604	5nT1Fl7.exe	105
PID 1604 wrote to memory of 412	1604	5nT1Fl7.exe	105
PID 3336 wrote to memory of 3656	3336	cmd.exe	108
PID 3336 wrote to memory of 3656	3336	cmd.exe	108
PID 3336 wrote to memory of 3656	3336	cmd.exe	108
PID 3336 wrote to memory of 2080	3336	cmd.exe	106
PID 3336 wrote to memory of 2080	3336	cmd.exe	106
PID 3336 wrote to memory of 2080	3336	cmd.exe	106
PID 3848 wrote to memory of 4172	3848	NEAS.56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674_JC.exe	107
PID 3848 wrote to memory of 4172	3848	NEAS.56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674_JC.exe	107
PID 3848 wrote to memory of 4172	3848	NEAS.56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674_JC.exe	107
PID 412 wrote to memory of 4380	412	legota.exe	110
PID 412 wrote to memory of 4380	412	legota.exe	110
PID 412 wrote to memory of 4380	412	legota.exe	110
PID 412 wrote to memory of 2760	412	legota.exe	112
PID 412 wrote to memory of 2760	412	legota.exe	112
PID 412 wrote to memory of 2760	412	legota.exe	112
PID 2760 wrote to memory of 1784	2760	cmd.exe	115
PID 2760 wrote to memory of 1784	2760	cmd.exe	115
PID 2760 wrote to memory of 1784	2760	cmd.exe	115
PID 3336 wrote to memory of 5088	3336	cmd.exe	116
PID 3336 wrote to memory of 5088	3336	cmd.exe	116
PID 3336 wrote to memory of 5088	3336	cmd.exe	116
PID 4172 wrote to memory of 4872	4172	6Es4UL91.exe	117
PID 4172 wrote to memory of 4872	4172	6Es4UL91.exe	117
PID 2760 wrote to memory of 3760	2760	cmd.exe	118
PID 2760 wrote to memory of 3760	2760	cmd.exe	118
PID 2760 wrote to memory of 3760	2760	cmd.exe	118
PID 3336 wrote to memory of 2912	3336	cmd.exe	120
PID 3336 wrote to memory of 2912	3336	cmd.exe	120
PID 3336 wrote to memory of 2912	3336	cmd.exe	120
PID 2760 wrote to memory of 2724	2760	cmd.exe	121
PID 2760 wrote to memory of 2724	2760	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\NEAS.56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.56df87530d94170d58020ed2302a6610f69a73b63235acc7a6724892ab573674_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cK5xf37.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cK5xf37.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pc7OS86.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pc7OS86.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yt3Dp39.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yt3Dp39.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\to4uY17.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\to4uY17.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4936
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1aN73RF8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1aN73RF8.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ia413Ie.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ia413Ie.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3240
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:560
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:5744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5nT1Fl7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5nT1Fl7.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:412
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1784
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:3760
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:2724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2504
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:2648
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:4560
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:5736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Es4UL91.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Es4UL91.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A47.tmp\9A48.tmp\9A59.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Es4UL91.exe"
    3⤵
    PID:4872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd57ad46f8,0x7ffd57ad4708,0x7ffd57ad4718
        5⤵
        
        PID:3844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
        5⤵
        
        PID:4412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
        5⤵
        
        PID:3656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        
        PID:3572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        5⤵
        
        PID:1100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:1
        5⤵
        
        PID:2172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
        5⤵
        
        PID:944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
        5⤵
        
        PID:4708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
        5⤵
        
        PID:4804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
        5⤵
        
        PID:944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12239439898544640682,7550878750732684607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
        5⤵
        
        PID:1944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd57ad46f8,0x7ffd57ad4708,0x7ffd57ad4718
        5⤵
        
        PID:5012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,3879947084911269645,2930518121390166416,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        5⤵
        
        PID:2936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,3879947084911269645,2930518121390166416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5432

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:5452

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5716

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7f0127e7-0a8b-4bf3-ae58-54dea6394037.tmp

Filesize
2KB

MD5
3065d4c5b37753972b52faba87e004ff

SHA1
14bbe7cd92e8426871baa6c9a6f9bd935846d275

SHA256
a7c542a30f822811bc7407bee923d7d192617878b22b676f6bdbb2e84273dc8e

SHA512
a5bab2f568a55fbffb13a67f1ad419342faf3d58ce722cd55fff664747cdfb9354a4d16fc9c1ea5fc49ee3a756490b8c804d4c62b1713bc5f1c9cff1d44b8f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0987267c265b2de204ac19d29250d6cd

SHA1
247b7b1e917d9ad2aa903a497758ae75ae145692

SHA256
474887e5292c0cf7d5ed52e3bcd255eedd5347f6f811200080c4b5d813886264

SHA512
3b272b8c8d4772e1a4dc68d17a850439ffdd72a6f6b1306eafa18b810b103f3198af2c58d6ed92a1f3c498430c1b351e9f5c114ea5776b65629b1360f7ad13f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\78679483-0c5a-4ac6-99c3-ee76e1bed0bc.tmp

Filesize
6KB

MD5
61c7af4a68976a6611baaf7a79d623db

SHA1
38edc4134c924b6aa2d72cc2d25d9a3cff9289e1

SHA256
398e47cdf4f80955a4812647096f202e5a699a6a59c14785dc5cb72bea2a9e36

SHA512
9b4b989e96e42f75ddba77e6e7339e1daa8c5a11f17be0747d36fbae28a2123f4543115eb797a44a1233c2ad67941bd596bcd6c785c65d1d0a46ade324fa4809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
93993f520c5faf237b1232d089c02343

SHA1
fd1205b6e577fce7768f2958b292d4e267d97022

SHA256
4174600ba851b8f7072cbd24c65f42be652f7a7f8ab3f4910026f600624c1149

SHA512
e5b2452c65e592ea3e318b43d56b4b9f93d237a8e82c6a7b3413227d454fafb0a841b67ec2b86e46ee7a80a630ce3e578d66f9e0763e6403c7f099e913ca8ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0d2631ab7d9dc2351c5ba9e6d31f698b

SHA1
17b1193680ffd16b8c0d01d31f0654163784f9d1

SHA256
8a19d0171e48a8a3d770766a692b4ee47b6172bd11073469ea2e7e4d44a163c8

SHA512
53a57baf08f0e888b8796df09f10b3e5a8a8638e2547ee3ffa9da690042bd23b2f5b038a7fc10deef5dea96327ad030c517ca1247c8514d2a62ccd8099f6a44a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ebe41fd2ccf91d7a470ad20f473838f

SHA1
1d1398c7b40938c2800ea11aa1c65a42e72a8e56

SHA256
1c998efe81bc9c8532897659e11930d47b83f9137d34c938f6ac90f5d4698c7d

SHA512
927ac4f8b701bda49f4b78275ce7a0cde3d9736d7b037eb2c5a2c924155f8ea34345443f540a6d5d8d441d7e86b44fc79b953bf3fc8991bb76031280de1dda81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
4a078fb8a7c67594a6c2aa724e2ac684

SHA1
92bc5b49985c8588c60f6f85c50a516fae0332f4

SHA256
c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee

SHA512
188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
d42af2fc64921dcc61ed738fc8f8e4d6

SHA1
b5e9fd7fa5763d940bc47f02502c8a9c5c4e13c5

SHA256
bcab407dd944115d91e8d89de9b55103ea9b827c2b18c04c6489364f6439962c

SHA512
539086355fa6e922d2337bd90626f10b22125013a486dea5721dcede6a898740dc51bf9305a73b46934ede6b7758417ea92a45fb7eeeba391d097022456db5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
b578d6f2c0b630d16a7a906f642bf638

SHA1
23e7567b3eb2b439b5f317c6155ce4e964ea88ca

SHA256
41cb9afd855f3adad993b5ccf73830dbb5a29e605cff875038cc9fa294ef8bd5

SHA512
59a04da1f12e7b6016ec746b97ef32b2a3307b807986d2c2e08385eff15124e42a76eed1cd23de5f8f616540bb1f9ea110c55625ae2aff7511e026e1ce31ce46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe597546.TMP

Filesize
872B

MD5
cb710c182f06285f8217206d0f462f4a

SHA1
23ea7291aa4959c6bb572ef3a7b2e86104861d9d

SHA256
14293ca33072b81390567c787342f9c33eeb16816bf4d6c274609672f3b15e9b

SHA512
d5c8b176d565e5ab02990dbe5dd47c27651a85b51f9565660d49b373b9cc7245206128f6f3dd85faa423563788b72a857455c114286fb174a570d0ca099f70f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
3065d4c5b37753972b52faba87e004ff

SHA1
14bbe7cd92e8426871baa6c9a6f9bd935846d275

SHA256
a7c542a30f822811bc7407bee923d7d192617878b22b676f6bdbb2e84273dc8e

SHA512
a5bab2f568a55fbffb13a67f1ad419342faf3d58ce722cd55fff664747cdfb9354a4d16fc9c1ea5fc49ee3a756490b8c804d4c62b1713bc5f1c9cff1d44b8f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f9dffa3680c4b574f408a1fb20dd0b4c

SHA1
ef5e13b8bb7efafdf31d1067bcec867d6c417ce3

SHA256
5316e2cb282d34cfe03f09efe933ecfc634da80a14682c0eb4175aa489161b97

SHA512
ef7fe305715c792c7782f2ebec71367baa08ccfc3d97a39015a6b3a0e2189645ab363e380258a4954eb2957f868c0d536e65e4e8a7d123119c6544806a94daff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A47.tmp\9A48.tmp\9A59.bat

Filesize
90B

MD5
5a115a88ca30a9f57fdbb545490c2043

SHA1
67e90f37fc4c1ada2745052c612818588a5595f4

SHA256
52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d

SHA512
17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Es4UL91.exe

Filesize
100KB

MD5
f8380f7d08d3c4a3f065d6c2e851aac2

SHA1
d878d9d2770bc06aa044702d00d8dece76e0fea7

SHA256
15d30ddc7183ab1054de0142465ed21ee3c75cb40a967cc598f27aa68813d2bb

SHA512
67952b3bdb76e159838fe3f7de844b9bcb9848c3189dc7d8df93cf9e11267d52de0bacb4e328bd9ba13b554f72224997ae7a650ce35c3c7e06195c6e6c6deb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Es4UL91.exe

Filesize
100KB

MD5
f8380f7d08d3c4a3f065d6c2e851aac2

SHA1
d878d9d2770bc06aa044702d00d8dece76e0fea7

SHA256
15d30ddc7183ab1054de0142465ed21ee3c75cb40a967cc598f27aa68813d2bb

SHA512
67952b3bdb76e159838fe3f7de844b9bcb9848c3189dc7d8df93cf9e11267d52de0bacb4e328bd9ba13b554f72224997ae7a650ce35c3c7e06195c6e6c6deb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cK5xf37.exe

Filesize
713KB

MD5
15099c317e73938253671fa4f1f9f340

SHA1
6949226a963591210f9bfcd8a061f6510938baa1

SHA256
d52a595fa35fd11ac1b2c27d20f4de1d60bf1b4a39f0684a81a8a6b7235c9f2d

SHA512
8d667cfeb1810263f5f116daa07ba3576d00df8c4372c7664e43f90de0e0858b2e857e1cb4f2bec7d5a878270fcc8c9ea09a6918c57635af2113b366d44c1fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cK5xf37.exe

Filesize
713KB

MD5
15099c317e73938253671fa4f1f9f340

SHA1
6949226a963591210f9bfcd8a061f6510938baa1

SHA256
d52a595fa35fd11ac1b2c27d20f4de1d60bf1b4a39f0684a81a8a6b7235c9f2d

SHA512
8d667cfeb1810263f5f116daa07ba3576d00df8c4372c7664e43f90de0e0858b2e857e1cb4f2bec7d5a878270fcc8c9ea09a6918c57635af2113b366d44c1fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5nT1Fl7.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5nT1Fl7.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pc7OS86.exe

Filesize
545KB

MD5
2d0ecf5c1885994451f07334433844a5

SHA1
fce4975a45d638dccfc16ac52040118c07fc0969

SHA256
97b3fd12c8feea35f3ced8e194f8376e4e603e32ca60424b850735895bfa545b

SHA512
0b30f67987de879df23762ba1b4eb2952f7b0a958cd0eaf73eea645ddc91a129ec3332bf65398cbe34eb53fade22996c0da70b0033f5f22c81ba9f757f56a891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pc7OS86.exe

Filesize
545KB

MD5
2d0ecf5c1885994451f07334433844a5

SHA1
fce4975a45d638dccfc16ac52040118c07fc0969

SHA256
97b3fd12c8feea35f3ced8e194f8376e4e603e32ca60424b850735895bfa545b

SHA512
0b30f67987de879df23762ba1b4eb2952f7b0a958cd0eaf73eea645ddc91a129ec3332bf65398cbe34eb53fade22996c0da70b0033f5f22c81ba9f757f56a891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ia413Ie.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ia413Ie.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yt3Dp39.exe

Filesize
363KB

MD5
49461c50fb23101f30976d27324fe1f3

SHA1
2cf2686f34874730be48030debaf578acc506488

SHA256
5798c4c604b0db04e9b8f3dbf9404714b67f5b34a67e6192a55b19b1320c1394

SHA512
0f554a714c8f77717b3c53bced4059db401ace436d2cdf2079387f959e4ea2c0b3948503347727517efdae0bc1ab8a47d593b4064979ddad8d5d3d3ed90c23d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yt3Dp39.exe

Filesize
363KB

MD5
49461c50fb23101f30976d27324fe1f3

SHA1
2cf2686f34874730be48030debaf578acc506488

SHA256
5798c4c604b0db04e9b8f3dbf9404714b67f5b34a67e6192a55b19b1320c1394

SHA512
0f554a714c8f77717b3c53bced4059db401ace436d2cdf2079387f959e4ea2c0b3948503347727517efdae0bc1ab8a47d593b4064979ddad8d5d3d3ed90c23d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\to4uY17.exe

Filesize
265KB

MD5
9ba3381f48a065a24d8edcae4739ea2d

SHA1
c0e9dcd3d65e75e629cd25badfe6ef07aff7c77b

SHA256
6e0c1451e4e8cd9fc13de58f655a4f2862037e5a8a6a9ab9da0db21a2054c081

SHA512
546b185620758096454ca3523184ddb5d210afe6077e96e7574b8383d939fa99c423d6b3d4c0b04da77ff929f49234f7e4f5dbcb537e7517fecaf9a2f87286ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\to4uY17.exe

Filesize
265KB

MD5
9ba3381f48a065a24d8edcae4739ea2d

SHA1
c0e9dcd3d65e75e629cd25badfe6ef07aff7c77b

SHA256
6e0c1451e4e8cd9fc13de58f655a4f2862037e5a8a6a9ab9da0db21a2054c081

SHA512
546b185620758096454ca3523184ddb5d210afe6077e96e7574b8383d939fa99c423d6b3d4c0b04da77ff929f49234f7e4f5dbcb537e7517fecaf9a2f87286ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1aN73RF8.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1aN73RF8.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VR96qy.exe

Filesize
51B

MD5
ff96189a7f44286fec40c3c5d52c8c10

SHA1
ae43b720a57e9431291f69bd647115c5cae2f4c3

SHA256
56113f6c52790bc58c218be08491d3bd8ffcecc39fb69e71da16ac0e47b8e62e

SHA512
bc9758c8b65beb6ffc52678ea453553e7786b25cc77889f33fe9f6380ba2e8ffbc661fdb04eb7e3d9c3eb6c89e0971a4183d50e25e0339c5df8059e97335efd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
ec41f740797d2253dc1902e71941bbdb

SHA1
407b75f07cb205fee94c4c6261641bd40c2c28e9

SHA256
47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520

SHA512
e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
273B

MD5
6d5040418450624fef735b49ec6bffe9

SHA1
5fff6a1a620a5c4522aead8dbd0a5a52570e8773

SHA256
dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3

SHA512
bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

Download Submit
memory/2436-64-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-38-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2436-56-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-54-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-52-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-50-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-48-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-46-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-44-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-42-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-41-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-62-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-58-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-68-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-60-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-69-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2436-70-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2436-71-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2436-40-0x0000000004F50000-0x0000000004F6C000-memory.dmp

Filesize
112KB

Download
memory/2436-73-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2436-39-0x0000000004990000-0x0000000004F34000-memory.dmp

Filesize
5.6MB

Download
memory/2436-66-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/2436-37-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2436-36-0x00000000048D0000-0x00000000048EE000-memory.dmp

Filesize
120KB

Download
memory/2436-35-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download