a9ffe5bb14b05e775f34f9eeff41fca89a350d49252eedae1e330e88952e7f36

Analysis

max time kernel
81s
max time network
83s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01/09/2024, 11:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Drivers/HIDGuardian/HIDGuardian Install (Run as Admin).bat
Size

377B
MD5

30cab8ec7ceeac504feb97217931982a
SHA1

bd49ce2c7b524bbe74baf6bc76297746680b0da4
SHA256

be7d428a517fa481fcca0136f5efc7255dccb4084dafc59b1ddeb10723ba1568
SHA512

1a9860ddfd46a3713170d73f153e581d1c6150dc09a2be62867ee9899972a70040b24b65647da4e33f8e577fad61ea5d63ffc84182950086e228fbc62871027a

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SET8194.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET8194.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\HidGuardian.sys	DrvInst.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\96A8D8621D30800A839D96D93C7E44160E71A00A\Blob = 03000000010000001400000096a8d8621d30800a839d96d93c7e44160e71a00a190000000100000010000000dc6e24ddb48372959c0e41ec0d03b2aa040000000100000010000000068f8a3c774814e951e2efbdbe03e93214000000010000001400000018974e0b3bb11760cf37ad075e42c4eea643d8ca0f0000000100000020000000d090677c267147d640a43c2ef06afe85c6cd49bac96cdcc273b251eacd670cc32000000001000000f5050000308205f1308204d9a003020102020c52b54b4fd5c6b3028fe4351b300d06092a864886f70d01010b0500306e310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361314430420603550403133b476c6f62616c5369676e20457874656e6465642056616c69646174696f6e20436f64655369676e696e67204341202d20534841323536202d204733301e170d3137303130333132303230395a170d3230303130343132303230395a30820108311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e3110300e060355040513073435373030306931133011060b2b0601040182373c020103130241543120301e060b2b0601040182373c020102130f4f6265726f6573746572726569636831153013060b2b0601040182373c02010113044c696e7a310b3009060355040613024154311830160603550408130f4f6265726f65737465727265696368310d300b060355040713044c696e7a311b301906035504091312576573746261686e7374726173736520323831193017060355040a1310576f686c6665696c2e495420652e552e3119301706035504031310576f686c6665696c2e495420652e552e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b8755150ba5e6d48fc6bd8be805703b3cc34e729e6d7f2b84dc2d0a10a43cff0cfbcaf84d8a9a30eb3dacd2ed68a62f5e1cbfbc68aa331845309928e2b9a0bb354a3adeebee0fc853b7e344f69e7ec54424783c6a3296957be7cbdc42d4b832ae8d4938e6470a6b5c827e58b9a146fed4dd5061db9da3c621ef0bb9def217963c120bc86045e86b1ff5dd5f55bf7311668f2fa948cd5d0184a66006baeb0261306a55a52c778ab6145d3e790ba4c00d926ed72d11fab5141a94c794d782e9a933a52fa8d195d099c83e59f39bf8d87c6bf7e1468c32f78e4da882d194efeb67885fb20c7c0cb083f3bc09b4c6f57329f4258cdd224cc5dd725a3ba4a677251670203010001a38201f1308201ed300e0603551d0f0101ff0404030207803081a006082b06010505070101048193308190304e06082b060105050730028642687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f6773657874656e64636f64657369676e7368613267336f6373702e637274303e06082b060105050730018632687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f6773657874656e64636f64657369676e73686132673330550603551d20044e304c304106092b06010401a03201023034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f3007060567810c010330090603551d130402300030450603551d1f043e303c303aa038a0368634687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f6773657874656e64636f64657369676e7368613267332e63726c303a0603551d1104333031a02f06082b06010505070803a02330210c1f41542d4f4245524f45535445525245494348204c494e5a2d3435373030306930130603551d25040c300a06082b06010505070303301d0603551d0e0416041418974e0b3bb11760cf37ad075e42c4eea643d8ca301f0603551d23041830168014dc2c582c2a6f352d9f7995a8485dc46d3e53bfb9300d06092a864886f70d01010b05000382010100c3eac141d453acec8a8338039895e5b6bd3d2967fcadbf1eb6a7583fa0441fdd5a3c973ca41b5e7908e78c1c9c8dba22250ce64c7ecf9428d9ffecbfbaaf27f42cef3a38b71667329c1678088109ee6aaa52c65f0cf0619fa298209cffadf4252833213d5a2fb607e668831c9199aefd092695ca5d1e0adce80650a199b0bdcc2c5c4c9c06fbe0ab48be42e4b8738310323b6654946d1c9684433404a0764e415271832ffb4a05c26382a4c243d8943a442bfff657a0e298cd90a9f21cd7235237de47db7863d2ad9962f612246779ae73ee805c1214cee636d4384d0b2c706f61c0e3f9a4b93c16ffd8ffbb1bb77d45b318a52677ca77d18ca8f7e140f5051d	DrvInst.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\HidCerberus.Srv\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Drivers\\HIDGuardian\\_drivers\\HidCerberus.Srv\\HidCerberus.Srv.exe\" -displayname \"HidCerberus Service\" -servicename \"HidCerberus.Srv\""	HidCerberus.Srv.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\HidGuardian.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\SET6265.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\SET6295.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\hidguardian.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_60308048514a1516\WdfCoInstaller01009.dll	DrvInst.exe
File created	C:\Windows\System32\SET8195.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\SET6244.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\SET6245.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\HidGuardian.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\SET6244.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\SET6245.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\SET6265.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_60308048514a1516\HidGuardian.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_60308048514a1516\HidGuardian.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_60308048514a1516\hidguardian.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_60308048514a1516\hidguardian.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\SET6295.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidguardian.inf_amd64_60308048514a1516\hidguardian.PNF	devcon.exe
File opened for modification	C:\Windows\System32\SET8195.tmp	DrvInst.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3448	PING.EXE
4536	PING.EXE

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	HidCerberus.Srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	HidCerberus.Srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	HidCerberus.Srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	HidCerberus.Srv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	HidCerberus.Srv.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3448	PING.EXE
4536	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2652	HidCerberus.Srv.exe
2652	HidCerberus.Srv.exe
2652	HidCerberus.Srv.exe
2652	HidCerberus.Srv.exe
2652	HidCerberus.Srv.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeAuditPrivilege	2848	svchost.exe
Token: SeSecurityPrivilege	2848	svchost.exe
Token: SeLoadDriverPrivilege	2888	devcon.exe
Token: SeRestorePrivilege	644	DrvInst.exe
Token: SeBackupPrivilege	644	DrvInst.exe
Token: SeRestorePrivilege	644	DrvInst.exe
Token: SeBackupPrivilege	644	DrvInst.exe
Token: SeLoadDriverPrivilege	644	DrvInst.exe
Token: SeLoadDriverPrivilege	644	DrvInst.exe
Token: SeLoadDriverPrivilege	644	DrvInst.exe
Token: SeDebugPrivilege	2652	HidCerberus.Srv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 2888	4640	cmd.exe	73
PID 4640 wrote to memory of 2888	4640	cmd.exe	73
PID 2848 wrote to memory of 1600	2848	svchost.exe	75
PID 2848 wrote to memory of 1600	2848	svchost.exe	75
PID 1600 wrote to memory of 4116	1600	DrvInst.exe	76
PID 1600 wrote to memory of 4116	1600	DrvInst.exe	76
PID 2848 wrote to memory of 644	2848	svchost.exe	77
PID 2848 wrote to memory of 644	2848	svchost.exe	77
PID 4640 wrote to memory of 2180	4640	cmd.exe	79
PID 4640 wrote to memory of 2180	4640	cmd.exe	79
PID 4640 wrote to memory of 2116	4640	cmd.exe	80
PID 4640 wrote to memory of 2116	4640	cmd.exe	80
PID 4640 wrote to memory of 3448	4640	cmd.exe	81
PID 4640 wrote to memory of 3448	4640	cmd.exe	81
PID 4640 wrote to memory of 3772	4640	cmd.exe	82
PID 4640 wrote to memory of 3772	4640	cmd.exe	82
PID 3772 wrote to memory of 4052	3772	net.exe	83
PID 3772 wrote to memory of 4052	3772	net.exe	83
PID 4640 wrote to memory of 4536	4640	cmd.exe	85
PID 4640 wrote to memory of 4536	4640	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Drivers\HIDGuardian\HIDGuardian Install (Run as Admin).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\Drivers\HIDGuardian\_drivers\devcon.exe
  devcon.exe install .\HidGuardian\HidGuardian.inf Root\HidGuardian
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\Drivers\HIDGuardian\_drivers\devcon.exe
  devcon.exe classfilter HIDClass upper -HidGuardian
  2⤵
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\Drivers\HIDGuardian\_drivers\HidCerberus.Srv\HidCerberus.Srv.exe
  HidCerberus.Srv.exe install
  2⤵
  - Sets service image path in registry
  PID:2116
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 2
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3448
- C:\Windows\system32\net.exe
  net start "HidCerberus Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start "HidCerberus Service"
    3⤵
    PID:4052
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 2
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4536

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{91820aab-40cd-884d-b8ba-ac5cf9e7b910}\hidguardian.inf" "9" "4ca3f57bf" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "c:\users\admin\appdata\local\temp\drivers\hidguardian\_drivers\hidguardian"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{233f0159-559e-5348-af07-ade87f557992} Global\{fab186dd-9d1d-f94e-9242-623233496739} C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\hidguardian.inf C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\HidGuardian.cat
    3⤵
    PID:4116
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "hidguardian.inf:c14ce88412a3285f:HidGuardian_Device:1.9.0.0:root\hidguardian," "4ca3f57bf" "0000000000000178"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4664

C:\Users\Admin\AppData\Local\Temp\Drivers\HIDGuardian\_drivers\HidCerberus.Srv\HidCerberus.Srv.exe
"C:\Users\Admin\AppData\Local\Temp\Drivers\HIDGuardian\_drivers\HidCerberus.Srv\HidCerberus.Srv.exe" -displayname "HidCerberus Service" -servicename "HidCerberus.Srv"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{91820aab-40cd-884d-b8ba-ac5cf9e7b910}\hidguardian.inf

Filesize
2KB

MD5
6b0c393b7ad7cd02d672654f16308cf8

SHA1
3d7bbd0596e7b10948e9163a65b503feed3b77d0

SHA256
e005c627e61d7926ec6df60f9a3e241f1fae05134a651259f816d1fef0145f9e

SHA512
c33d043b5ad9cb119edab4a77a2a285290158c5df75f000cfc27d35f903da254f20d1b9164e5b71aefc3d2a3697e63818d0a8b817507343762e145dd48ea877b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{91820~1\HidGuardian.cat

Filesize
11KB

MD5
ed55be0eb2910d8d7b9918eda7b0a213

SHA1
54f8ee84e102f794bc47019d2dae056c318641b5

SHA256
695bcaf8328c7d207c3c9f1bf45deda8e82bd29aa1c542f3b61a8321b1f4b9f9

SHA512
f2558f84f35dc1801e32a3b06d25d452a4e4a66c8048416d5e22d4f2756cfb88f92da4011461c4e85c0e2468ac1a59ede72089cbb72aa22f3ae7007ca57fe9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{91820~1\WdfCoInstaller01009.dll

Filesize
1.7MB

MD5
5487685a7fc7d49a43bf30593f7d8d9b

SHA1
ff1752e13c80b369157162722971b11f82228783

SHA256
24368b8dfd9dc3352390c438ee783d128cb9774755165c083aa3342d6254638b

SHA512
ac1ecb4ad5a8bf746663cf9c9bc2a47d5d0b137941f1589297b93cfb863abb515ba78ec4d249044a87b7816fadf40964f204e34b55bbc1a44efe4b06a9a78566

Download Submit
C:\Windows\INF\oem3.PNF

Filesize
7KB

MD5
6e39882770debf5514502c0208cd3598

SHA1
71245938a714a1ff6d2fffcf4ca2c32292e5dec8

SHA256
06aa0d427d5e53e22f47fb497ea99b4edb6a44a36ccf3e458a95532b82e001ae

SHA512
dc331db9b9c746cfba3d2f8661f25dcdd7f7e9e61662ad531f326715d51ae7172219bf4d269ccfdf495292f9021b1efcafb5e4ed6a8f1a4376439385be7e6bb0

Download Submit
C:\Windows\System32\DriverStore\Temp\{91fc388f-0d26-2b43-99ac-233e8f3b6048}\SET6244.tmp

Filesize
36KB

MD5
7ff3b4842c374d8b4a6b5f73ef4937b0

SHA1
3560a98e4f8051f51767ee094787896b01401674

SHA256
7853f2b2ac260a5ea9fc70e08445ca83708d73a0024154debb590bf33a0c64a7

SHA512
c980795c08425e49024537dd786f01ff4148fb628e634a7386082311a68c5eccc4ac316cae87f40d0acaf80c2e111a0cfbc806aeaaee4b980fbb7e8a82a018b8

Download Submit
memory/2116-71-0x0000013B45D60000-0x0000013B45DF8000-memory.dmp

Filesize
608KB

Download
memory/2116-72-0x0000013B47A50000-0x0000013B47A84000-memory.dmp

Filesize
208KB

Download
memory/2116-73-0x0000013B47BE0000-0x0000013B47CC2000-memory.dmp

Filesize
904KB

Download
memory/2652-75-0x000001C504D50000-0x000001C504D84000-memory.dmp

Filesize
208KB

Download
memory/2652-76-0x000001C51D760000-0x000001C51D76C000-memory.dmp

Filesize
48KB

Download
memory/2652-77-0x000001C51D950000-0x000001C51D9C6000-memory.dmp

Filesize
472KB

Download
memory/2652-78-0x000001C51D7A0000-0x000001C51D7BE000-memory.dmp

Filesize
120KB

Download