blackmoon | 902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db

Analysis

max time kernel
144s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
Size

4.5MB
MD5

ecfd8183b2b80bf1aa59ebc5e50c09b5
SHA1

6bb7ff978b005fc590496b3ce7c1e45c9ca1ba93
SHA256

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db
SHA512

41a1666ffacf32a86c4799b5368a57d56327b5ba8edfec1562e030441ccbbaa2340f8570f8d5f8ffaba4edfd3650ac8a77dbb3c65d58b442888f40acfee34c93
SSDEEP

49152:xNIlMFEedDqnroHO8wOZHOlvbuambSIN+6a9AknH:xNIicnsHtvZHUbmb/+TK

Score

10^/10

blackmoon banker discovery spyware stealer trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 30 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4460-0-0x0000000002670000-0x000000000289F000-memory.dmp	family_blackmoon
behavioral2/memory/4460-1-0x0000000002670000-0x000000000289F000-memory.dmp	family_blackmoon
behavioral2/memory/4460-11-0x0000000002670000-0x000000000289F000-memory.dmp	family_blackmoon
behavioral2/memory/4460-22-0x00000000029A0000-0x00000000029B1000-memory.dmp	family_blackmoon
behavioral2/memory/4460-34-0x0000000002670000-0x000000000289F000-memory.dmp	family_blackmoon
behavioral2/memory/4460-30-0x00000000029A0000-0x00000000029B1000-memory.dmp	family_blackmoon
behavioral2/memory/4460-23-0x0000000002670000-0x000000000289F000-memory.dmp	family_blackmoon
behavioral2/memory/4460-21-0x00000000029A0000-0x00000000029B1000-memory.dmp	family_blackmoon
behavioral2/memory/4460-14-0x0000000002990000-0x000000000299F000-memory.dmp	family_blackmoon
behavioral2/memory/4460-35-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/4460-37-0x0000000002670000-0x000000000289F000-memory.dmp	family_blackmoon
behavioral2/memory/4460-40-0x0000000002670000-0x000000000289F000-memory.dmp	family_blackmoon
behavioral2/memory/4460-41-0x0000000002670000-0x000000000289F000-memory.dmp	family_blackmoon
behavioral2/memory/4460-47-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/1116-51-0x0000000002650000-0x000000000287F000-memory.dmp	family_blackmoon
behavioral2/memory/4460-49-0x0000000002670000-0x000000000289F000-memory.dmp	family_blackmoon
behavioral2/memory/1116-52-0x0000000002650000-0x000000000287F000-memory.dmp	family_blackmoon
behavioral2/memory/1116-86-0x0000000003550000-0x0000000003561000-memory.dmp	family_blackmoon
behavioral2/memory/1116-83-0x0000000003550000-0x0000000003561000-memory.dmp	family_blackmoon
behavioral2/memory/1116-82-0x0000000003550000-0x0000000003561000-memory.dmp	family_blackmoon
behavioral2/memory/1116-74-0x0000000002650000-0x000000000287F000-memory.dmp	family_blackmoon
behavioral2/memory/1116-75-0x0000000003540000-0x000000000354F000-memory.dmp	family_blackmoon
behavioral2/memory/1116-91-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/1116-93-0x0000000002650000-0x000000000287F000-memory.dmp	family_blackmoon
behavioral2/memory/1116-94-0x0000000002650000-0x000000000287F000-memory.dmp	family_blackmoon
behavioral2/memory/1116-95-0x0000000002650000-0x000000000287F000-memory.dmp	family_blackmoon
behavioral2/memory/1116-103-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/1116-105-0x0000000002650000-0x000000000287F000-memory.dmp	family_blackmoon
behavioral2/memory/1116-107-0x0000000000400000-0x0000000000891000-memory.dmp	family_blackmoon
behavioral2/memory/1116-106-0x0000000002650000-0x000000000287F000-memory.dmp	family_blackmoon

Drops file in Drivers directory 2 IoCs

Processes:

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

description	ioc	process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\msvcp30.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

Loads dropped DLL 2 IoCs

Processes:

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

pid	process
4460	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
1116	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4460-22-0x00000000029A0000-0x00000000029B1000-memory.dmp	upx
behavioral2/memory/4460-31-0x0000000074480000-0x00000000744BC000-memory.dmp	upx
behavioral2/memory/4460-30-0x00000000029A0000-0x00000000029B1000-memory.dmp	upx
behavioral2/memory/4460-21-0x00000000029A0000-0x00000000029B1000-memory.dmp	upx
C:\Windows\SysWOW64\msvcp30.dll	upx
behavioral2/memory/4460-18-0x00000000029A0000-0x00000000029B1000-memory.dmp	upx
behavioral2/memory/4460-36-0x0000000074480000-0x00000000744BC000-memory.dmp	upx
behavioral2/memory/4460-50-0x0000000074480000-0x00000000744BC000-memory.dmp	upx
behavioral2/memory/1116-86-0x0000000003550000-0x0000000003561000-memory.dmp	upx
behavioral2/memory/1116-85-0x0000000074230000-0x000000007426C000-memory.dmp	upx
behavioral2/memory/1116-83-0x0000000003550000-0x0000000003561000-memory.dmp	upx
behavioral2/memory/1116-82-0x0000000003550000-0x0000000003561000-memory.dmp	upx
behavioral2/memory/1116-79-0x0000000003550000-0x0000000003561000-memory.dmp	upx
behavioral2/memory/1116-92-0x0000000074230000-0x000000007426C000-memory.dmp	upx
behavioral2/memory/1116-104-0x0000000074230000-0x000000007426C000-memory.dmp	upx
behavioral2/memory/1116-109-0x0000000074230000-0x000000007426C000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

description	ioc	process
File opened (read-only)	\??\L:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\M:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\O:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\S:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\V:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\X:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\A:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\E:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\W:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\Z:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\I:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\J:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\K:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\N:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\P:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\Q:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\G:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\H:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\T:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\U:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\Y:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\B:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened (read-only)	\??\R:	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

Drops file in System32 directory 4 IoCs

Processes:

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msvcp30.ini	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File created	C:\Windows\SysWOW64\msvcp30.dll	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened for modification	C:\Windows\SysWOW64\msvcp30.ini	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened for modification	C:\Windows\SysWOW64\msvcp30.dll	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

Drops file in Windows directory 6 IoCs

Processes:

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

description	ioc	process
File created	C:\Windows\msvcp30.ico	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened for modification	C:\Windows\msvcp30.ini	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File created	C:\Windows\msvcp30.dll	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened for modification	C:\Windows\msvcp30.ico	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened for modification	C:\Windows\msvcp30.ini	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
File opened for modification	C:\Windows\msvcp30.dll	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1116	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
1116	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
5064	msedge.exe
5064	msedge.exe
4868	msedge.exe
4868	msedge.exe
1672	identity_helper.exe
1672	identity_helper.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

description	pid	process
Token: SeDebugPrivilege	4460	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
Token: SeDebugPrivilege	1116	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

pid	process
4460	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
1116	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exemsedge.exe

description	pid	process	target process
PID 4460 wrote to memory of 1116	4460	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
PID 4460 wrote to memory of 1116	4460	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
PID 4460 wrote to memory of 1116	4460	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
PID 1116 wrote to memory of 4868	1116	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe	msedge.exe
PID 1116 wrote to memory of 4868	1116	902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe	msedge.exe
PID 4868 wrote to memory of 3464	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3464	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 568	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 5064	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 5064	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3356	4868	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
"C:\Users\Admin\AppData\Local\Temp\902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe
"C:\Users\Admin\AppData\Local\Temp\902e62cf0b25e592c29f02dc165e37b17e2eec9fdc8644d1b141e997095b37db.exe" Master
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.30my.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb8,0x108,0x7ffe8a4746f8,0x7ffe8a474708,0x7ffe8a474718
4⤵
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
4⤵
PID:568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
4⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
4⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
4⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
4⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
4⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
4⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
4⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
4⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
4⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
4⤵
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
4⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,18332758154713019653,3107332486572609283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
4⤵
PID:1408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
afa406d25a204f3d9e39c2e10329a2fd

SHA1
853400b351b8d9476027369dad3db1a8454032c1

SHA256
6172e2d837e1c782c01f6a9cf715e3db0564f0df19b4d5cbab5ad8e6c088f80d

SHA512
9fe73b24ccd34aa1d49b836994dffdf0c826451078acb48c9295621dbda92789aff2ae627dc3cac51acba660f959bc4d494693e902cf1867bd914d745878dd9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cf4b68cac4bbf44dbc6404539d40b99a

SHA1
b03ebf08b687d4e93851e958a4d94a1f736313c3

SHA256
040ff968acbebddea53599ac3c0ae7583ebf7cbea812288569cbf2834fec4d97

SHA512
da1ed00c4ce75690615affb5cc0db93644d298505f954b189b49e71998235feeb3397b6ef71c9e060de395edac55e92921cf36db2696991435d3e4c9ad75d728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e76a7748732d97533cdd12fbe5fbec89

SHA1
653d83fa81d11a2550b99bf012880dc88eaac7f2

SHA256
c37dcb8bd80215af6804766f5d05a9aab7880390f01818b87006ecdfa492e202

SHA512
8331dc32d8d4854d3e491722fbbdf996e8beedb2aa2933ea5671267a15f9eeb8c9a741a45f3050c081f5682da9464683a7b2c235fe0ba009cab1a41bae5d450f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b8ed70d36a0a0c17d48c4593c8d0d14e

SHA1
e7e42d20043715bf84fb6c75a8ff519b67ea6929

SHA256
9857df9317c9deed9808a04d8de295f589b37b9c2056f4289c7331b00963d1ca

SHA512
4caefdefd16fd2f97707a42188cca50b369f0b04c61fadfd84d639708b9b77cd80ec0d19eaae3ad2fcdb71c410d3f22320c952716375ebfd2fd87c7ff0fb066b

Download Submit
C:\Users\Admin\Desktop\Ä§Óò·¢²¼Íø.url

Filesize
120B

MD5
5c8c7c3ce78aa0a9d56f96ab77676682

SHA1
1a591e2d34152149274f46d754174aa7a7bb2694

SHA256
40a172493bd1337c6bfd9c0af15be6d6e5d539135dd766577a05362e859ff806

SHA512
8ef03cf1967157cf019d1e7b585a45042642d5a1d82c90ef68f1256e40fe162460e7c26919b1fdf8c33de9f95201ee6a13e69676436d7251a017c04fdf047a77

Download Submit
C:\Windows\SysWOW64\msvcp30.dll

Filesize
93KB

MD5
a6c4f055c797a43def0a92e5a85923a7

SHA1
efaa9c3a065aff6a64066f76e7c77ffcaaf779b2

SHA256
73bd285ac6fba28108cdc0d7311e37c4c4fc3ba7d0069c4370778ac3099e21a9

SHA512
d8120f7f59c212867c78af42f93db64d35f2d6eae7fc09021c0a6d8ca71a14bd2b2a3006027094ee2edcf65634dcdb3ac96da3ac810171fff021bed4c4254957

Download Submit
C:\Windows\SysWOW64\msvcp30.ini

Filesize
18B

MD5
2cd7883782c594d2e2654f8fe988fcbe

SHA1
042bcb87c29e901d70c0ad0f8fa53e0338c569fc

SHA256
aa98ce751ef6ac5401a9278f30c06e250dbbd5e8c2e2c378b0fdf33a205d7037

SHA512
88413dc63847682207d2b1e6cdfcb3de9cc73da5f900a1948e4aa262da20056bcb2486ee8a7c8a4f9b0aa3fdff6b99061262fbc67aebc99bf0b42e5bfc7db360

Download Submit
C:\Windows\msvcp30.ico

Filesize
264KB

MD5
bdccf3c42497089ae7001328305906ed

SHA1
cf6f28e09d98ebe516b408e6b15f03f5891fdc79

SHA256
5f191e3486c0bafdd237f8b79f6ce0f69d1f8c9f8c948d14ab061db36286b2f2

SHA512
d7876d8d414ca48903393aa523296ffe35bfa3c6b5bfc4ce70adfc93d31efa61a9bfeea571754cde2e205416e57c13df5c45551b5e6aae6eb53b951065ebbf5d

Download Submit
\??\pipe\LOCAL\crashpad_4868_VRYHXROZGDDALUPB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1116-95-0x0000000002650000-0x000000000287F000-memory.dmp

Filesize
2.2MB

Download
memory/1116-105-0x0000000002650000-0x000000000287F000-memory.dmp

Filesize
2.2MB

Download
memory/1116-106-0x0000000002650000-0x000000000287F000-memory.dmp

Filesize
2.2MB

Download
memory/1116-107-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/1116-109-0x0000000074230000-0x000000007426C000-memory.dmp

Filesize
240KB

Download
memory/1116-103-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/1116-104-0x0000000074230000-0x000000007426C000-memory.dmp

Filesize
240KB

Download
memory/1116-102-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1116-51-0x0000000002650000-0x000000000287F000-memory.dmp

Filesize
2.2MB

Download
memory/1116-94-0x0000000002650000-0x000000000287F000-memory.dmp

Filesize
2.2MB

Download
memory/1116-93-0x0000000002650000-0x000000000287F000-memory.dmp

Filesize
2.2MB

Download
memory/1116-52-0x0000000002650000-0x000000000287F000-memory.dmp

Filesize
2.2MB

Download
memory/1116-60-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1116-86-0x0000000003550000-0x0000000003561000-memory.dmp

Filesize
68KB

Download
memory/1116-85-0x0000000074230000-0x000000007426C000-memory.dmp

Filesize
240KB

Download
memory/1116-83-0x0000000003550000-0x0000000003561000-memory.dmp

Filesize
68KB

Download
memory/1116-82-0x0000000003550000-0x0000000003561000-memory.dmp

Filesize
68KB

Download
memory/1116-74-0x0000000002650000-0x000000000287F000-memory.dmp

Filesize
2.2MB

Download
memory/1116-79-0x0000000003550000-0x0000000003561000-memory.dmp

Filesize
68KB

Download
memory/1116-75-0x0000000003540000-0x000000000354F000-memory.dmp

Filesize
60KB

Download
memory/1116-91-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/1116-92-0x0000000074230000-0x000000007426C000-memory.dmp

Filesize
240KB

Download
memory/4460-40-0x0000000002670000-0x000000000289F000-memory.dmp

Filesize
2.2MB

Download
memory/4460-50-0x0000000074480000-0x00000000744BC000-memory.dmp

Filesize
240KB

Download
memory/4460-14-0x0000000002990000-0x000000000299F000-memory.dmp

Filesize
60KB

Download
memory/4460-35-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/4460-37-0x0000000002670000-0x000000000289F000-memory.dmp

Filesize
2.2MB

Download
memory/4460-0-0x0000000002670000-0x000000000289F000-memory.dmp

Filesize
2.2MB

Download
memory/4460-47-0x0000000000400000-0x0000000000891000-memory.dmp

Filesize
4.6MB

Download
memory/4460-46-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/4460-41-0x0000000002670000-0x000000000289F000-memory.dmp

Filesize
2.2MB

Download
memory/4460-36-0x0000000074480000-0x00000000744BC000-memory.dmp

Filesize
240KB

Download
memory/4460-6-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4460-18-0x00000000029A0000-0x00000000029B1000-memory.dmp

Filesize
68KB

Download
memory/4460-49-0x0000000002670000-0x000000000289F000-memory.dmp

Filesize
2.2MB

Download
memory/4460-21-0x00000000029A0000-0x00000000029B1000-memory.dmp

Filesize
68KB

Download
memory/4460-23-0x0000000002670000-0x000000000289F000-memory.dmp

Filesize
2.2MB

Download
memory/4460-30-0x00000000029A0000-0x00000000029B1000-memory.dmp

Filesize
68KB

Download
memory/4460-34-0x0000000002670000-0x000000000289F000-memory.dmp

Filesize
2.2MB

Download
memory/4460-31-0x0000000074480000-0x00000000744BC000-memory.dmp

Filesize
240KB

Download
memory/4460-22-0x00000000029A0000-0x00000000029B1000-memory.dmp

Filesize
68KB

Download
memory/4460-11-0x0000000002670000-0x000000000289F000-memory.dmp

Filesize
2.2MB

Download
memory/4460-1-0x0000000002670000-0x000000000289F000-memory.dmp

Filesize
2.2MB

Download